Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

[Zach Jansen <zjanse20 () CALVIN EDU>]

-- 
Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 3/17/2010 at 7:36 PM, in message <20100317233625.GH22665 () seas upenn edu>,
Charles Buchholtz <chip+educause () SEAS UPENN EDU> wrote:
> On Wed, Mar 17, 2010 at 05:35:38PM -0400, Justin Azoff wrote:
>
> > Do any sites out there actually have a 'password' policy that is simply
> > 'minimum length: 16' ?

We require a passphrase of 15 or greater. This had two benefits for us, first the passphrases are long enough that they 
are not trivially brute forced and in theory would take much longer than our  1 year password rotation. So it allowed 
us to argue for a longer password age, which everyone appreciated except the auditors who continue to recommend a 
shorter period. The other is it forced out the possibility of storing the password hash in the LM format. There are 
some downsides in that users are still able and willing to choose poor passwords, the most common scheme seems to be 
incrementing a number everytime the passphrase changes. The number in this case is usually the year in which the 
passphrase is set, so a passphrase of "Alice in Wonderland 2009" would simply be incremented upon expiration. As others 
have stated, part of the reason that the passphrase scheme works is that common password cracking tools don't 
effectively deal with the scheme. We've been using this scheme for several years now and I've yet to see an instance 
where the passphrase was cracked. I have seen several where it was captured and reused. 

Zach Jansen