Educause Security Discussion mailing list archives
Re: Password length and complexity
From: Tim Doty <tdoty () MST EDU>
Date: Fri, 31 May 2013 15:56:57 -0500
Thanks for this, very interesting (especially http://cs.unc.edu/%7Efabian/papers/PasswordExpire.pdf)
On 05/31/2013 03:00 PM, Steven Alexander wrote:
I've written a lot about passwords (including length, complexity, hashes and expiration) on my blog. While blog posts don't count as "scholarly", mine do link to a number of academic papers and other resources. I also work out a lot of the math. http://bugcharmer.blogspot.com/search/label/Passwords In particular: How long should passwords be? http://bugcharmer.blogspot.com/2012/06/how-long-should-passwords-be.html For current research on measuring password entropy, check out Matt Weir's research: http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metrics.html
http://reusablesec.blogspot.com/2010/10/ccs-paper-part-2-password-entropy.html
These two blog posts comment on and explain Weir's paper which he presented at the 2010 ACM CCS conference. Regards, Steven Alexander Jr. Online Education Systems Manager Merced College 3600 M Street Merced, CA 95348-2898 (209) 384-6191 alexander.s () mccd edu<mailto:alexander.s () mccd edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Weakland Sent: Friday, May 31, 2013 10:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password length and complexity Greetings, Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing appropriate password length and complexity requirements? We're working on extending out password expiration period significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want to make sure we are using a sound rationale/reasons for the length we choose - backed up by some research. Anyone know of useful studies/research results that could help guide our recommendations? Best, Eric Weakland, CISSP, CISM, CRISC Director, Information Security Office of Information Technology American University eric at american.edu 202.885.2241 ______________________________________ AU IT will never ask for your password via e-mail. Don't share your password with anyone! This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the HelpDesk at (209) 384-6180.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Password length and complexity, (continued)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Rickard, Josh A. (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Irish, Adrian L (May 31)
- Re: Password length and complexity Shalla, Kevin (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Pete Hickey (May 31)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Steven Alexander (May 31)
- Re: Password length and complexity Tim Doty (May 31)
- Job Opening Willis Marti (Jun 09)
- Re: Job Opening Casey Thomas (Jun 09)