Educause Security Discussion mailing list archives
Re: Student paper "editorial" on robust passwords
From: Arlene Yetnikoff <ayetniko () DEPAUL EDU>
Date: Thu, 23 Sep 2004 14:07:08 -0500
Long ago, on a less distributed type of system, a system administrator that I knew decided to use a feature of his security software which required passwords to be of a certain pattern. The theory was if your system randomly generates a password with a certain pattern of consonants and vowels, it will be pronounceable and users will not feel the need to write it down. The catch was that if a user knew that pattern required and chose a password himself that fit the pattern, the system would not force a randomly-generated password on the user, but allow him to use the password he chose. Not surprisingly, the pattern was detected very quickly. One user, in an effort to be helpful, wrote a program which generated several hundred pattern-fitting passwords and distributed his list to the entire IT department. The list was helpful and people hung it in cubes and other places. The system administrator soon found that most of his users' passwords had been chosen from the first ten or so on the list. I hope that doesn't happen here. :-) But this is an issue we're thinking about here also. What type of tradeoffs are other institutions making on password complexity vs. expiration interval? I'd love to hear the collected wisdom of the populace on this one. thanks, Arlene Yetnikoff
updegrove () MAIL UTEXAS EDU 09/23/04 11:03AM >>>
Colleagues, I thought you'd be amused by this "editorial," in today's Daily Texan (the student paper) in response to our new policy to require robust passwords. Dan Updegrove Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Student paper "editorial" on robust passwords Dan Updegrove (Sep 23)
- <Possible follow-ups>
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords Gordon D. Wishon (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ron Parker (Sep 23)
- Re: Student paper "editorial" on robust passwords Arlene Yetnikoff (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ryan Matteson (Sep 23)
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords David L. Wasley (Sep 24)
- Re: Student paper "editorial" on robust passwords Kevin Shalla (Sep 24)