Educause Security Discussion mailing list archives
Re: Password length and complexity
From: Alan Stockdale <astockdale () EDC ORG>
Date: Fri, 31 May 2013 14:23:42 -0400
--Electronic Authentication Guideline. 2011. NIST SP800-63 (see esp. "Appendix A: Estimating Entropy and Strength"). --Guide to Enterprise Password Management (Draft). 2009. NIST SP800-118 http://csrc.nist.gov/publications/PubsSPs.html Worth asking how they are being stored an can they be stored more securely. A lot of passwords are stored in a manner that doesn't provide adequate protection. See http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html [cid:edc_logo18d7a2c]<http://www.edc.org> EDCInc On 5/31/2013 1:08 PM, Eric Weakland wrote: Greetings, Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing appropriate password length and complexity requirements? We're working on extending out password expiration period significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want to make sure we are using a sound rationale/reasons for the length we choose - backed up by some research. Anyone know of useful studies/research results that could help guide our recommendations? Best, Eric Weakland, CISSP, CISM, CRISC Director, Information Security Office of Information Technology American University eric at american.edu 202.885.2241 ______________________________________ AU IT will never ask for your password via e-mail. Don't share your password with anyone! -- Alan Stockdale, Ph.D. Education Development Center 43 Foundry Avenue, Waltham, MA 02453-8313 Work: 617 618 2731 Fax: 617 969 3401 E-mail: astockdale () edc org<mailto:astockdale () edc org> Web: http://www.edc.org/
Current thread:
- Re: Question About Password Resets, (continued)
- Re: Question About Password Resets Valdis Kletnieks (May 16)
- Re: Question About Password Resets Schumacher, Adam J. (May 17)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Rickard, Josh A. (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Irish, Adrian L (May 31)
- Re: Password length and complexity Shalla, Kevin (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Pete Hickey (May 31)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Steven Alexander (May 31)
- Re: Password length and complexity Tim Doty (May 31)
- Job Opening Willis Marti (Jun 09)
- Re: Job Opening Casey Thomas (Jun 09)