Re: Stats re: passwords

[Chris Kidd <chris.kidd () UTAH EDU>]

It depends upon the purpose of the password rules. Are the rules to prevent others from guessing a password? If that's 
the case, either approach seems reasonable. However, password requirements should be part of an overall strategy that 
includes monitoring, lockouts, etc.

Chris

Chris Kidd
650 Komas Drive, Suite 102
Salt Lake City, UT 84108
Office: 801.587.9241
Cell: 801.747.9028
chris.kidd () utah edu 

http://www.secureit.utah.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Don M. 
Blumenthal
Sent: Friday, October 16, 2009 10:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Stats re: passwords

One person that I know in the security community doesn't believe in password
rules like these because they are a pain to type and could be forgotten, if
nothing else wrt whether a letter is capitalized or not. Where the system
allows long pws, he advocates long, easy to remember sentences, such as
IhatestrongpasswordrulesmorethanIhateBrusselssprouts."

Don

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
Sent: Friday, October 16, 2009 12:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Stats re: passwords

After reading Alison's note to the list about password rules, I'm sure
that for most of us, the following password would be valid under
standard password rules of a) 8-16 characters b) upper/lower case c)
at least 1 numeric d) at least 1 special character.

AaBbCcDd1234)(*&

<sigh>

Randy Marchany
VA Tech IT Security Office