Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Harold Winshel <winshel () CAMDEN RUTGERS EDU>
Date: Mon, 19 Nov 2007 17:56:03 -0500
Are you saying a password cracking program is more likely to guess the letter "a" repeated 15 times or that an individual user trying to break in to a machine will more likely try that? Harold At 05:37 PM 11/19/2007, Alex wrote:
Harold: I think there is confusion betweeen pure mathematical probability and probability based on historical attacks/human created passwords. An attacker is more likely to try repetitive or dictionary-based/hybrid attacks over a network (or against a hash) than random passwords. Additionally, people are more likely to use certain characters than others when creating passwords (e.g. wheel of fortune). Therefore, user created passwords are not random. So, given that we know attackers typically use 'easy' passwords, the character 'a' repeated 15 times is more likely to be cracked than a 15 character passphrase. Likely, so is a 15 character passphrase when compared to a truly randomly generated password of 15 characters from the same character set. Hence, we have password complexity rules as those in Microsoft Server 2003 and linux. -Alex -----Original Message----- From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] Sent: Monday, November 19, 2007 5:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases I may have missed some of the earlier emails but I thought that a 15 character passphrase is as secure as a 15 character random password. For that matter, I thought the user could use the letter "a" fifteen times and it could be as secure as a random 15-character password or a 15-character password such as '"I don't like the Red Sox" (I think that's more than 15, though). Harold At 04:44 PM 11/19/2007, Roger Safian wrote: >At 02:01 PM 11/19/2007, Martin Manjak put fingers to keyboard and wrote: > >move beyond 8 characters with mixed case and special characters. I > >would like to see us require a 15 character pass phrase which, in my > >view, is more secure (even without complexity), and both easier to > >type and remember. > >Personally I'd love to see a password minimum length of 15 characters. > >My fear is that a password database get's compromised, and the weak >passwords are cracked and bad things take place. I think that 15 >characters is a long enough string to make brute force cracking time >consuming enough to allow us to change the passwords in a reasonable >time-frame. > >I think the reality is that 15 characters will be too much for the >community. We'll see. > > >-- >Roger A. Safian >r-safian () northwestern edu (email) public key available on many key servers. >(847) 491-4058 (voice) >(847) 467-6500 (Fax) "You're never too old to have a great childhood!" Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Gary Flynn (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
(Thread continues...)