Educause Security Discussion mailing list archives
Re: passwords vs. passphrases
From: Geoffrey Steven Nathan <geoffnathan () WAYNE EDU>
Date: Sun, 7 Jul 2013 14:30:25 -0400
It seems that the result of this discussion is that neither passwords nor passphrases are secure. We now know that easily available tools can crack even long passwords, and that utilizing grammatical parsing tools (POS taggers) can make passphrases easy to crack too (and it's not just being 'grammatically correct'--anything resembling English will be crackable). The take-home: we should not be relying on pass[word/phrase]s in the first place. Of course, we'll never convince the auditors of that. So we'll continue to inconvenience and annoy our users, while at the same time knowing (amongst ourselves) that it's for no good reason, and doesn't make them or us any safer. Kinda like airport security... Sigh... Geoff Geoffrey S. Nathan Faculty Liaison, C&IT and Professor, Linguistics Program http://blogs.wayne.edu/proftech/ +1 (313) 577-1259 (C&IT) Nobody at Wayne State will EVER ask you for your password. Never send it to anyone in an email, no matter how authentic the email looks.
Current thread:
- Re: passwords vs. passphrases Geoffrey Steven Nathan (Jul 07)