Re: Student paper "editorial" on robust passwords

[Arlene Yetnikoff <ayetniko () DEPAUL EDU>]

Long ago, on a less distributed type of system, a system administrator
that I knew decided to use a feature of his security software which
required passwords to be of a certain pattern.  The theory was if your
system randomly generates a password with a certain pattern of
consonants and  vowels, it will be pronounceable and users will not feel
the need to write it down.  The catch was that if a user knew that
pattern required and chose a password himself that fit the pattern, the
system would not force a randomly-generated password on the user, but
allow him to use the password he chose.

Not surprisingly, the pattern was detected very quickly.  One user, in
an effort to be helpful, wrote a program which generated several hundred
pattern-fitting passwords and distributed his list to the entire IT
department.  The list was helpful and people hung it in cubes and other
places.

The system administrator soon found that most of his users' passwords
had been chosen from the first ten or so on the list.

I hope that doesn't happen here.  :-)

But this is an issue we're thinking about here also.  What type of
tradeoffs are other institutions making on password complexity vs.
expiration interval?  I'd love to hear the collected wisdom of the
populace on this one.

thanks,

Arlene Yetnikoff

> > > updegrove () MAIL UTEXAS EDU 09/23/04 11:03AM >>>
Colleagues,


I thought you'd be amused by this "editorial," in today's Daily Texan
(the
student paper) in response to our new policy to require robust
passwords.

Dan Updegrove


Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.