Educause Security Discussion mailing list archives
Re: Stats re: passwords
From: John Lupton <lupton () ISC UPENN EDU>
Date: Mon, 19 Oct 2009 10:08:08 -0400
And an Aggie joke at that... John Lupton (UT '74) ---------------------------------------------------- John T. Lupton Sr. Information Security Specialist University of Pennsylvania/Information Systems & Computing lupton () upenn edu/215-573-3811 On Oct 16, 2009, at 6:09 PM, Wayne Samardzich wrote:
It's a joke. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Friday, October 16, 2009 5:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stats re: passwords On Fri, 16 Oct 2009 16:27:41 CDT, Willis Marti said:During a recent password audit, it was found that one user was using the following password: MickeyMinniePlutoHueyLouieDeweyDonaldGoofyI call shenanigans. *How* exactly was this found out? What password cracker would actually try that combo - and not run so slowly trying all *other* similar length password/phrase combos that it would be useless?When asked why such a big password, the user said that it had to be atleast 8 characters long.It *does* make for a good story though. ;) The problem is that good stories usually end up growing up to become urban legends, and then somebody sets policy based on it, without any real thought about things like "is it really plausible to break a 40+ character password in realistic time?". This is probably a good time to suggest that everybody go back and re-read Gene Spafford's blog postings on forced expiration/changing of passwords, and the threat models it used to defend against, and the actual threat models we face now. A keystroke logger doesn't care about password complexity rules....
Current thread:
- Re: Stats re: passwords, (continued)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)
- Re: Stats re: passwords John Lupton (Oct 19)