Re: password length and required reset

[Steven Alexander <steven.alexander () KCCD EDU>]

Nick,

I have some contrary positions.

What is the eight character minimum based on?  If you only want to prevent online guessing (e.g. brute-forcing RDP), 
eight is probably enough.  If you’re trying to protect against offline guessing (i.e. cracking password hashes), then 
eight is not even close to adequate for most systems.  AD accounts store passwords using unsalted MD4 which can be 
guessed at a rate of billions of guesses per second.  Many applications using unsalted MD5 or SHA-1 which, for password 
protection, are not much better.  In those cases, eight character passwords are very easy to break and many 
(user-chosen) passwords up to about thirteen or fourteen characters can be cracked in a reasonable amount of time.  For 
critical accounts, those with administrative privileges and those with access to sensitive data (e.g. Payroll), I 
recommend fifteen characters.

The research on password expiration shows that regular password changes are not helpful.  They have minimal positive 
impact and encourage users to do exactly what you mention: pick a pattern and increment  (“Fall2016!”, “Winter2017!”, 
etc).  The better recommendations are to change passwords when an event occurs rather than every XX days and to 
implement two-factor authentication if possible.

A password vault is a great idea.  Not only does it make it easier to use different passwords for different 
sites/systems, it makes it easier to pick strong passwords.

Regards,

Steven Alexander
Director of IT Security
Kern Community College District
(661) 336-5111

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nicholas 
Garigliano
Sent: Sunday, October 9, 2016 7:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password length and required reset

Hi Mike,

Some thoughts on password requirements in general:
 - It is common for people to reuse account credentials at multiple sites that never require a password change (Amazon, 
Twitter etc)  If one of the sites get hacked and the credentials get dumped, then that increases the exposure for your 
site.  Not to mention the nightmare it creates for the user.
- While pass phrases are generally more secure, simple/common ones like "Star Wars VII" are not.  You can find these in 
most on-line cracking databases/lists.  Of course, complexity and length are always a trade off between usability and 
administrative overhead (resets etc).
- Current technology has made cracking dumped hashes more feasible for your average bad guy.
- Education can help.  Many users, not all as we know, will listen if you explain clearly and succinctly why reusing 
passwords is not in their best interest.  Suggesting the use of a password vault I feel is also a good idea.

So my deep thoughts on password's is that you do need a minimum of 8, they need to be changed (and not just 
incremented, i.e. password123) and there should be some complexity.  But as usual, it all depends on what you are 
allowed to do or can do in your particular environment.

Nick Garigliano, CISSP, GCIH
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109

On Fri, Oct 7, 2016 at 3:28 PM, Mike Cunningham <mike.cunningham () pct edu<mailto:mike.cunningham () pct edu>> wrote:
We current have a password length rule of 6 with a password expiration of 180 days. We are considering changing that to 
a length of 12 with a recommendation to use a pass phrase, and no expiration. Students can want to can change their 
password daily or never. We believe the longer length requirement will make the password so much stronger that the 
password reset is no longer needed. This change is for students ONLY. Employees will still have a password recent 
requirement.

Thanks


Mike Cunningham
VP of Information Technology Services/CIO
Pennsylvania College of Technology