Educause Security Discussion mailing list archives
Re: Password length and complexity
From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Fri, 31 May 2013 19:25:23 +0000
At this point, for most passwords, I think it's safe to assume that if the hashes are exposed they will be cracked. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin Sent: Friday, May 31, 2013 2:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password length and complexity Yeah, it sounds scary, but don't most systems protect the password file so that hackers don't have easy attack access? Or are we to assume that attackers have easy access to our password files? If that's the case, then we probably all need to convert to two or three factor authentication, including tokens or biometrics. Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Irish, Adrian L Sent: Friday, May 31, 2013 12:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password length and complexity This is not scholarly, but certainly technical, and eye opening (at least for me): Anatomy of a hack: How crackers ransack passwords like "qeadzcwrsfxv1331" http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ Adrian Adrian Irish IT Security Officer The University of Montana SS 102 Missoula, MT 59812 (406) 243-6375 adrian.irish () umontana edu<mailto:adrian.irish () umontana edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Weakland Sent: Friday, May 31, 2013 11:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Password length and complexity Greetings, Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing appropriate password length and complexity requirements? We're working on extending out password expiration period significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want to make sure we are using a sound rationale/reasons for the length we choose - backed up by some research. Anyone know of useful studies/research results that could help guide our recommendations? Best, Eric Weakland, CISSP, CISM, CRISC Director, Information Security Office of Information Technology American University eric at american.edu 202.885.2241 ______________________________________ AU IT will never ask for your password via e-mail. Don't share your password with anyone!
Current thread:
- Re: Question About Password Resets, (continued)
- Re: Question About Password Resets Roger A Safian (May 16)
- Re: Question About Password Resets David Curry (May 16)
- Re: Question About Password Resets David Seidl (May 16)
- Re: Question About Password Resets Valdis Kletnieks (May 16)
- Re: Question About Password Resets Schumacher, Adam J. (May 17)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Rickard, Josh A. (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Irish, Adrian L (May 31)
- Re: Password length and complexity Shalla, Kevin (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Pete Hickey (May 31)
- Password length and complexity Eric Weakland (May 31)
- Re: Question About Password Resets Roger A Safian (May 16)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Steven Alexander (May 31)
- Re: Password length and complexity Tim Doty (May 31)
- Job Opening Willis Marti (Jun 09)
- Re: Job Opening Casey Thomas (Jun 09)