Re: Password length and complexity

[Roger A Safian <r-safian () NORTHWESTERN EDU>]

Is this useful?

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rickard, 
Josh A.
Sent: Friday, May 31, 2013 12:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password length and complexity

Not really a document, but I've attached an Excel sheet that explains Password Complexity vs. Length.  The other Excel 
sheet is for Risk Analysis.

Both of these came from the SANS Sec505 (GCWM) course.  I hope this helps.

Thanks,

Josh Rickard
System Support Analyst
School of Medicine
University of Missouri

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Weakland
Sent: Friday, May 31, 2013 12:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Password length and complexity

Greetings,

Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing 
appropriate password length and complexity requirements?  We're working on extending out password expiration period 
significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want 
to make sure we are using a sound rationale/reasons for the length we choose - backed up by some research.

Anyone know of useful studies/research results that could help guide our recommendations?

Best,


Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu
202.885.2241

______________________________________
AU IT will never ask for your password via e-mail.
Don't share your password with anyone!

Attachment: Nist_Entropy_Spreadsheet.xls
Description: Nist_Entropy_Spreadsheet.xls