Re: Passphrases v Password

[Rich Graves <rgraves () CARLETON EDU>]

What is the rationale for 16? The (obsolete!) justification for 15 was LANMAN. 

Some of the best arguments against user-hostile password policies are 
http://research.microsoft.com/en-us/people/cormac/ 

Although I do not agree with all that he says -- he seems to derive joy from playing the contrarian -- the conclusion 
of "Where do security policies come from?" is devastating and, I believe, correct. 


We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are 
simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must 
compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury 
they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is 
superfluous: it causes considerable inconvenience for negligible security improvement. 


We have a captive audience, and we can point at a password policy as evidence that we are "doing something." But the 
economic cost is high, and the security impact may be negative. I've overhead help desk staff refuse to change 
passwords for users affected by malware because it's hard to come up with a new password. 

If you want security, the big wins are authentication by means other than passwords ("known device" is a huge win), and 
then application and network whitelisting. The motivation for my current institution's password policy was not 
security. 
-- 

Rich Graves http://claimid.com/rcgraves 
Carleton.edu Sr UNIX and Security Admin