Educause Security Discussion mailing list archives

Re: Passphrases v Password

From: Will Froning <will.froning () GMAIL COM>
Date: Fri, 5 Jul 2013 23:54:35 +0400

Hello Rich,

tiqr.org and https://www.toopher.com/ both come to mind as interesting ways to solve password problems.

We have a more restrictive password policy for Faculty that includes a requirement to use Yubikey. It has eliminated
students trying to stealing faculty passwords as an avenue to abusing the system. Now the profs are struggling with
camera phones instead.

Thanks,
Will

On July 5, 2013 at 11:24:20 PM, Rich Graves (rgraves () carleton edu) wrote:

What is the rationale for 16? The (obsolete!) justification for 15 was LANMAN.

Some of the best arguments against user-hostile password policies are http://research.microsoft.com/en-us/people/cormac/

Although I do not agree with all that he says -- he seems to derive joy from playing the contrarian -- the conclusion
of "Where do security policies come from?" is devastating and, I believe, correct.
We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are
simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must
compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury
they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is
superfluous: it causes considerable inconvenience for negligible security improvement.
We have a captive audience, and we can point at a password policy as evidence that we are "doing something." But the
economic cost is high, and the security impact may be negative. I've overhead help desk staff refuse to change
passwords for users affected by malware because it's hard to come up with a new password.

If you want security, the big wins are authentication by means other than passwords ("known device" is a huge win), and
then application and network whitelisting. The motivation for my current institution's password policy was not security.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
--
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning

Current thread:

Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
  - Re: Passphrases v Password Joel L. Rosenblatt (Jul 05)
  - Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password randy (Jul 05)
  - Re: Passphrases v Password SCHALIP, MICHAEL (Jul 05)
  - Re: Passphrases v Password Michael Sinatra (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
  - Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
  - Re: Passphrases v Password Will Froning (Jul 05)
    - Re: Passphrases v Password Rich Graves (Jul 05)
    - Re: Passphrases v Password Mike Osterman (Jul 05)
  - Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
  - Re: Passphrases v Password scott hollatz (Jul 05)
    - Re: Passphrases v Password Ray McClure (Jul 06)
  - Re: Passphrases v Password Tim Doty (Jul 08)
    - Re: Passphrases v Password randy (Jul 08)
    - Re: Passphrases v Password Tim Doty (Jul 08)
    - Re: Passphrases v Password shanna leonard (Jul 09)

(Thread continues...)