Re: Password length and complexity

["Rickard, Josh A." <rickardj () HEALTH MISSOURI EDU>]

Not really a document, but I've attached an Excel sheet that explains Password Complexity vs. Length.  The other Excel 
sheet is for Risk Analysis.

Both of these came from the SANS Sec505 (GCWM) course.  I hope this helps.

Thanks,

Josh Rickard
System Support Analyst
School of Medicine
University of Missouri

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Weakland
Sent: Friday, May 31, 2013 12:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password length and complexity

Greetings,

Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing 
appropriate password length and complexity requirements?  We're working on extending out password expiration period 
significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want 
to make sure we are using a sound rationale/reasons for the length we choose - backed up by some research.

Anyone know of useful studies/research results that could help guide our recommendations?

Best,


Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu
202.885.2241

______________________________________
AU IT will never ask for your password via e-mail.
Don't share your password with anyone!

Attachment: Passphrase_Length_vs_Complexity.xls
Description: Passphrase_Length_vs_Complexity.xls

Attachment: Practical_Risk_Analysis_and_Threat_Modeling_v.1.0.xls
Description: Practical_Risk_Analysis_and_Threat_Modeling_v.1.0.xls