Educause Security Discussion mailing list archives
Re: Follow up to password vs pass-phrase discussion
From: Kamnab Keo/FS/VCU <kkeo () VCU EDU>
Date: Wed, 28 Apr 2010 15:20:24 -0400
For everyone that uses or requires long passwords/pass-phrases, what has been the feedback from your users? For example if you have different password expirations for different password lengths/complexity (not looking to get into a discussion about the good and bad of password expirations), have you noticed that users are more inclined to go with longer passwords/pass-phrases to avoid having to reset their passwords more frequently? And thanks again to all that shared their password policies. Kamnab Keo IT Risk Management Analyst Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ Information Security News, Tips & More - http://www.twitter.com/vcuinfosec Information Security Best Practices - http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, Social Security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing. From: "Davis, Thomas R" <tdavis () IU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 04/28/2010 07:32 AM Subject: Re: [SECURITY] Follow up to password vs pass-phrase discussion Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Kamnab, We use passphrases exclusively: http://kb.iu.edu/data/acpu.html -- Tom Davis, CISSP, CISM Chief Security Officer Public Safety and Institutional Assurance Indiana University https://informationsecurity.iu.edu/Tom_Davis On Apr 27, 2010, at 3:22 PM, Kamnab Keo/FS/VCU wrote:
Does anyone advocate the use of pass-phrases vs passwords and allowing
users the ability to use pass-phrases if they want to? For example, do you allow your users to use pass-phrases that consist of 15 characters or more with no complexity requirements but passwords with 7 to 14 characters must have some type of complexity (uppercase, number, special character)? Also does anyone have separate password policies for users that access sensitive systems? If so, what types of password policies are used?
Thanks, Kamnab Keo IT Risk Management Analyst Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ Information Security News, Tips & More -
http://www.twitter.com/vcuinfosec
Information Security Best Practices -
http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social Security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.
Current thread:
- Follow up to password vs pass-phrase discussion Kamnab Keo/FS/VCU (Apr 27)
- <Possible follow-ups>
- Re: Follow up to password vs pass-phrase discussion Sheri J Thompson (Apr 27)
- Re: Follow up to password vs pass-phrase discussion Roger Safian (Apr 27)
- Re: Follow up to password vs pass-phrase discussion Bill Badertscher (Apr 27)
- Re: Follow up to password vs pass-phrase discussion Davis, Thomas R (Apr 28)
- Re: Follow up to password vs pass-phrase discussion Kamnab Keo/FS/VCU (Apr 28)