Educause Security Discussion mailing list archives

Re: Password Expatriation notification

From: Charles Buchholtz <chip+educause () SEAS UPENN EDU>
Date: Thu, 19 Aug 2010 15:49:39 -0400

On Thu, Aug 19, 2010 at 12:04:30PM -0700, Alex Keller wrote:

re: I've watched people who have trouble typing try to enter passwords
and pass-phrases. When every character takes 5 seconds to type, a 9
character password is much easier than a 16 character pass-phrase.

however, it is often easier for people to type passphrases (even poor
typists) becuase the keystrokes are familiar. i am not a great typist
and i can type "Should we go back to the moon?" much faster than
"vf$1048Za".


I agree - it is difficult to predict who will prefer pass-phrases and
who will prefer passwords.

For people going to pass-phrases, are you preventing people from
picking common catch-phrases?  I'm not seeing brute force pass-phrase
guessing attacks, but I'd prefer to learn from history and build in my
defense now.

I liked the idea of Googling the pass-phrase (in quotes) and counting
the hits, but that would involve sending all of our passwords in clear
over the internet from our password management machine's IP.  It's too
bad - Google makes a really good password/passphrase vetter.

--- Chip

Charles H. Buchholtz                    Director of Systems Programming
chip () seas upenn edu            School of Engineering and Applied Science
http://www.seas.upenn.edu/~chip           University of Pennsylvania

Current thread:

Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification, (continued)
- - - Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification SCHALIP, MICHAEL (Aug 19)
    - Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Walter Moore (Aug 19)
    - Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Valdis Kletnieks (Aug 19)
    - Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Charles Buchholtz (Aug 19)
    - Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Valdis Kletnieks (Aug 19)
    - Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Charles Buchholtz (Aug 19)
    - Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Eric Case (Aug 19)
    - Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Deke Kassabian (Aug 19)
    - Re: Password Expatriation notification Alex Keller (Aug 19)
    - Re: Password Expatriation notification SCHALIP, MICHAEL (Aug 19)
    - Re: Password Expatriation notification Charles Buchholtz (Aug 19)
    - Re: Password Expatriation notification Eric Case (Aug 19)
    - Re: Password Expatriation notification charlie derr (Aug 19)
    - Re: Password Expatriation notification Eric Case (Aug 19)
    - Re: Password Expatriation notification James Farr '05 (Aug 19)
    - Re: Password Expatriation notification SCHALIP, MICHAEL (Aug 19)
    - Re: Password Expatriation notification Eric Case (Aug 19)
    - Re: Password Expatriation notification Eric Case (Aug 19)
    - Re: Password Expatriation notification Morrow Long (Aug 19)
    - Re: Password Expatriation notification Allison Dolan (Aug 19)
    - Re: Password Expatriation notification Ullman, Catherine (Aug 19)

(Thread continues...)