Educause Security Discussion mailing list archives

Re: Publishing password rules

From: "Strzelec, Wally" <wally () TAMU EDU>
Date: Thu, 6 Nov 2008 08:15:38 -0600

I like the idea of a "password phrase".  Complex passwords are hard to type and hard to remember.  A simple silly 
phrase such as "The cow is all red" is easy to remember, type and its 18 chars.  It is also very easy to add complexity 
by simply misspelling a word adding a period etc...  I think that when it comes to strong passwords, length is better 
than complexity. 

-Wally

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff 
Nathan
Sent: Wednesday, October 29, 2008 9:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Publishing password rules

A week or so ago I asked for opinions on whether publishing strong password standards constituted a security risk.  The 
background for this is that we have just instituted increased strength requirements (minimum eight characters, at least 
one upper case and at least one numeral, no obvious matches--dictionary, accessID etc.)  We’ve now had to back off a 
little because of *&#$%&!! Oracle limitations that forbid non-alphanumeric characters (well, most of them).  
As part of this we’ve been debating whether we should publish the rules or let users play twenty questions.  I 
personally favor publishing the requirements behind some authentication wall, such as the password change page.  By a 
large majority (12-3) the folks who responded to my question agreed.  Several pointed out that eight characters was 
probably too weak to make any difference, and, in general I agree, but bumping that number up would not fly here at the 
moment, especially given a six-month expiry cycle.
Many thanks to the following for the responses:

Valdis Kletnieks
Roger Safian
Steven Alexander
Vijaya Sastry
Adam Nave
Tim Doty
Alex Everett
Bill Terry
Bob Bayn
Brian Basgen
Jack Suess
Conor McGrath
Jim Rizzo
Gary Dobbins
Joel Rosenblatt

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Associate Professor, Linguistics Program
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

Current thread:

Publishing password rules Geoff Nathan (Oct 29)
- <Possible follow-ups>
- Re: Publishing password rules Strzelec, Wally (Nov 06)
- Re: Publishing password rules Basgen, Brian (Nov 06)
- Re: Publishing password rules jeff murphy (Nov 06)