Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Martin Manjak <mm376 () ALBANY EDU>
Date: Mon, 19 Nov 2007 15:01:49 -0500
This is a very timely topic from my perspective. We are moving to SSO via a portal and I'm trying to convince my colleagues that if we're going to continue to rely on single factor authentication, we need to move beyond 8 characters with mixed case and special characters. I would like to see us require a 15 character pass phrase which, in my view, is more secure (even without complexity), and both easier to type and remember. This is a tangential topic, but I was wondering if anyone on the list was familiar with brute force tools that would work against web forms. My concern is that without some kind of lock out policy, an account with a 8 character password would be vulnerable to a brute force attack. It's encouraging to see Jonny's reply below on the use of longer pass phrases. Sweeny, Jonny wrote:
Passphrases MUST contain at least:
* 15 to 127 characters (at least 4 of which are unique)
* 4 or more words (a "word" is defined as 2 or more distinct letters separated by 1 or more spaces or non-letters)
Passphrases MUST NOT:
* contain the "at" sign (@)
* contain the "number" sign (#)
* be a common phrase (such as "to be or not to be" or "April showers bring may flowers")
* be based on predictable patterns such as the alphabet or the layout of a standard keyboard
* contain your name or username
No expiration presently. We're working on that.
--
~Jonny Sweeny, GSEC, GCWN, GCIH, SSP-CNSA
Incident Response Manager, Lead Security Analyst
Office of the VP for Information Technology, Indiana University
PGP key & S/MIME cert: https://itso.iu.edu/Jonny_Sweeny
jsweeny () iu edu p(812)855-4194 f(812)856-1011
-----Original Message-----
From: Brian T Nichols [mailto:bnichols () LSU EDU]
Sent: Monday, November 19, 2007 12:49
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Passwords & Passphrases
Colleagues,
We are researching best practices regarding passwords and passphrases (length, complexity, expiration, etc..).
Does anyone have a standard and/or policy they can share?
Thanks in advance!
-Brian
Brian Nichols, CISSP, CISM, CISA, CIA
Chief IT Security & Policy Officer
Louisiana State University
-- Martin Manjak Information Security Officer University at Albany CISSP, GIAC GSEC-G, GCIH, GCWN
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases HALL, NATHANIEL D. (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Steve Worona (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Sweeny, Jonny (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Martin Manjak (Nov 19)
- Re: Passwords & Passphrases Gary Flynn (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
(Thread continues...)