Re: Passwords & Passphrases

["Peters, Kevin" <Kevin.Peters () OLC STATE OH US>]

Take a look at this site.  These are tools for performing the SQL
Injection on web sites.  There is also a You Tube video on the attack.

http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scann
ers


Kevin Peters
IT Manager
The Ohio State Lottery
Cleveland, OH

-----Original Message-----
From: Martin Manjak [mailto:mm376 () ALBANY EDU] 
Sent: Monday, November 19, 2007 3:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passwords & Passphrases

This is a very timely topic from my perspective. We are moving to SSO 
via a portal and I'm trying to convince my colleagues that if we're 
going to continue to rely on single factor authentication, we need to 
move beyond 8 characters with mixed case and special characters. I would

like to see us require a 15 character pass phrase which, in my view, is 
more secure (even without complexity), and both easier to type and 
remember.

This is a tangential topic, but I was wondering if anyone on the list 
was familiar with brute force tools that would work against web forms. 
My concern is that without some kind of lock out policy, an account with

a 8 character password would be vulnerable to a brute force attack.

It's encouraging to see Jonny's reply below on the use of longer pass 
phrases.

Sweeny, Jonny wrote:
> Passphrases MUST contain at least:
>
>     * 15 to 127 characters (at least 4 of which are unique)
>     * 4 or more words (a "word" is defined as 2 or more distinct
letters separated by 1 or more spaces or non-letters)
> Passphrases MUST NOT:
>
>     * contain the "at" sign (@)
>     * contain the "number" sign (#)
>     * be a common phrase (such as "to be or not to be" or "April
showers bring may flowers")
>     * be based on predictable patterns such as the alphabet or the
layout of a standard keyboard
>     * contain your name or username
>
> No expiration presently.  We're working on that.
>
> --
> ~Jonny Sweeny, GSEC, GCWN, GCIH, SSP-CNSA
> Incident Response Manager, Lead Security Analyst
> Office of the VP for Information Technology, Indiana University
> PGP key & S/MIME cert: https://itso.iu.edu/Jonny_Sweeny
> jsweeny () iu edu  p(812)855-4194  f(812)856-1011
>
>
>
>
> -----Original Message-----
> From: Brian T Nichols [mailto:bnichols () LSU EDU]
> Sent: Monday, November 19, 2007 12:49
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Passwords & Passphrases
>
> Colleagues,
>
>
>
> We are researching best practices regarding passwords and passphrases
(length, complexity, expiration, etc..).
> Does anyone have a standard and/or policy they can share?
>
>
>
> Thanks in advance!
>
>
>
> -Brian
>
>
>
> Brian Nichols, CISSP, CISM, CISA, CIA
>
> Chief  IT Security & Policy Officer
>
> Louisiana State University
>   

-- 
Martin Manjak
Information Security Officer
University at Albany
CISSP, GIAC GSEC-G, GCIH, GCWN