Educause Security Discussion mailing list archives

Re: Passphrases v Password

From: Rich Graves <rgraves () CARLETON EDU>
Date: Fri, 5 Jul 2013 14:06:01 -0500

Is this driven by a specific external requirement? 

Unless your current passwords are laughably bad [1], I don't think this should be a priority. Passwords are stolen by 
malware and phishing, not cracking. To protect against sniffing attacks, use later versions of signed CIFS protocols. 
I'd advise you to leave passwords alone and try to get to "2-step verification" where it matters. Use 2-factor to 
protect the highest risk assets, but the "remember this device" strategy employed by Google, Facebook, Evernote, 
Amazon, DropBox, and many banks is pretty good. 

[1] Until 2006, Carleton required passwords of exactly 8 characters, with no other checking. Help desk representatives 
were instructed to set passwords to "carleton" and politely ask users to change them later. A large percentage of users 
did not.

Current thread:

Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
  - Re: Passphrases v Password Joel L. Rosenblatt (Jul 05)
  - Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password randy (Jul 05)
  - Re: Passphrases v Password SCHALIP, MICHAEL (Jul 05)
  - Re: Passphrases v Password Michael Sinatra (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
  - Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
  - Re: Passphrases v Password Will Froning (Jul 05)
    - Re: Passphrases v Password Rich Graves (Jul 05)
    - Re: Passphrases v Password Mike Osterman (Jul 05)
  - Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
  - Re: Passphrases v Password scott hollatz (Jul 05)
    - Re: Passphrases v Password Ray McClure (Jul 06)
  - Re: Passphrases v Password Tim Doty (Jul 08)

(Thread continues...)