Educause Security Discussion mailing list archives

Re: Password entropy

From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Mon, 24 Jul 2006 08:46:57 -0500

Gene & Valdis - Thanks for your well considered posts.  I do have
some other questions.  A little background may help.

I have two goals that I would like to achieve passphrases that
are likely to resist attacks for a period of time.  Let's call
that period a year, but it's not clear at the moment.  The other
is I would like a passphrase policy that the users are comfortable
with.  It's pretty clear that users do not buy into the letter
substitution passphrase.  (My users don't like this!  == Mudlt!)
which is  what we are currently recommending.  I know this because
I have spent a great deal of time over the last couple of years
cracking their passphrases.

At the moment we're working on technologies that will allow us
to remove our current length restrictions.  This provides us
the opportunity for change, that could help with both of those
goals.  I am leaning towards suggesting that people use short
sentences as their passphrase.  Having them add a special
character, numeral, case change, or a miss-spell a word would
be part of the suggestions.  We could also enforce those options
if we chose, although I would like to take as light a touch as
possible.  Users with access to sensitive data and or privileges
would have additional policy restrictions and or secondary
authentication tokens.

Now, on to the questions.  Am I correct in my understanding
that "this passphrase" is not as strong as "thispassphrase",
even though the first is longer?  Does running the words
together help at all?

FWIW - At the moment I a considering a recommendation of a
12 character minimum.  I'd like to get longer, but I am not
sure the additional resistance from the non-privileged users
will be worth it.  Especially if we can tie the idea of personal
responsibility into their choices.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"

Current thread:

Re: Password entropy, (continued)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
- Re: Password entropy James H Moore (Jul 23)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Robert Kerr (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Basgen, Brian (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Jimmy Kuo (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Roger Safian (Jul 25)
- Re: Password entropy Basgen, Brian (Jul 25)
- Re: Password entropy Alan Amesbury (Jul 25)

(Thread continues...)