Educause Security Discussion mailing list archives
Re: password vs pass-phrase (was: Are users right in rejecting security advice?)
From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Thu, 18 Mar 2010 08:20:50 -0400
-- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 3/17/2010 at 7:36 PM, in message <20100317233625.GH22665 () seas upenn edu>,
Charles Buchholtz <chip+educause () SEAS UPENN EDU> wrote:
On Wed, Mar 17, 2010 at 05:35:38PM -0400, Justin Azoff wrote:Do any sites out there actually have a 'password' policy that is simply 'minimum length: 16' ?
We require a passphrase of 15 or greater. This had two benefits for us, first the passphrases are long enough that they are not trivially brute forced and in theory would take much longer than our 1 year password rotation. So it allowed us to argue for a longer password age, which everyone appreciated except the auditors who continue to recommend a shorter period. The other is it forced out the possibility of storing the password hash in the LM format. There are some downsides in that users are still able and willing to choose poor passwords, the most common scheme seems to be incrementing a number everytime the passphrase changes. The number in this case is usually the year in which the passphrase is set, so a passphrase of "Alice in Wonderland 2009" would simply be incremented upon expiration. As others have stated, part of the reason that the passphrase scheme works is that common password cracking tools don't effectively deal with the scheme. We've been using this scheme for several years now and I've yet to see an instance where the passphrase was cracked. I have seen several where it was captured and reused. Zach Jansen
Current thread:
- password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 17)
- <Possible follow-ups>
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Allison Dolan (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Zach Jansen (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Valdis Kletnieks (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Roger Safian (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 18)