Educause Security Discussion mailing list archives
Re: Passphrases v Password
From: Tim Doty <tdoty () MST EDU>
Date: Mon, 8 Jul 2013 09:02:00 -0500
On 07/08/2013 08:58 AM, randy wrote:
Brad Tilley from my office developed a password generator tool that is pretty effective and easy to use. It's at http://16s.us/sha1_pass/. Basically, you supply it a phrase/sentence and it generates a number of password strings (base64, SHA-1, hex, etc.) that you can cut and paste into the login page.
Right, but that does absolutely nothing for initial login to a system, and therein lies the problem. Some sort of password manager is "the solution", but the initial login to a system remains a problem. I can't copy and paste until I've logged in...
There are other ways to approach that (for example, you can use a Yubikey to store an impossible to remember, ridiculously long and complex password/phrase, or employ smart cards, whatever) but all have their faults. Its not an easy problem.
Tim Doty
-Randy Marchany VA Tech IT Security Office and Lab. On Mon, Jul 8, 2013 at 9:50 AM, Tim Doty <tdoty () mst edu> wrote:I've been resisting, but I will point out that that xkcd significantly overstates the entropy of English which ruins his analysis. Relying on simple passphrases as protection against hash cracking doesn't work against real threats (http://arstechnica.com/**security/2013/05/how-crackers-** make-minced-meat-out-of-your-**passwords/<http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/> ) In my opinion the biggest problem we face is that our systems are geared to require a password and password only for authentication. Even if you stand up a two factor system you are left with 1) locking out certain functionality (e.g., you can't use a Yubikey with an iphone) 2) increased complexity (which tends to weaker security) 3) uneven requirements resulting in exposed single factor mechanisms Whatever solution any given institution comes up with is up to them as a means of best meeting their requirements, but the factually incorrect and consequently misleading xkcd strip is obviously a sore point with me. Tim Doty On 07/05/2013 07:49 PM, Cathy Hubbs wrote:Thanks to those that answered both on and off the list. I see we are out in front but not alone. Yes there are others! Every institution has a variety of considerations when making a decision. Happy to discuss off line. The driving force was one year expiration and customer friendly. We believe it is easier to teach customers to write natural language sentences than to pick a number, a symbol, an upper case, and a lower case character. My colleague loves to trot this XKCD comic strip http://imgs.xkcd.com/comics/**password_strength.png<http://imgs.xkcd.com/comics/password_strength.png> password_strength.png Thanks again. Cathy On Jul 5, 2013, at 12:22 PM, "Cathy Hubbs" <hubbs () AMERICAN EDU <mailto:hubbs () AMERICAN EDU>> wrote: Greetings,American University is moving to require passphrases, 16 character minimum, with upper and lower case requirement for standard users (staff, students, and faculty). I would love to hear from anyone that has gone down this path and experiences from their customers. Thanks Cathy Cathy Hubbs, CISSP, CISA, CGEIT Chief Information Security Officer Office of Information Technology American University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Passphrases v Password, (continued)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Mike Osterman (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password scott hollatz (Jul 05)
- Re: Passphrases v Password Ray McClure (Jul 06)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password randy (Jul 08)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password shanna leonard (Jul 09)
- Re: Passphrases v Password Steven Alexander (Jul 09)
- Re: Passphrases v Password scott hollatz (Jul 05)