Educause Security Discussion mailing list archives
Re: password length and required reset
From: Steven Alexander <steven.alexander () KCCD EDU>
Date: Mon, 10 Oct 2016 16:00:50 +0000
I don’t like it either. The XKCD cartoon estimates that a hacker can guess 1000 passwords per second. For offline attacks, the speed is more typically between a billion and several tens of billions of guesses per second. Given that, you would need to use at least six random, unrelated words. Steven Alexander Director of IT Security Kern Community College District (661) 336-5111 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy Sent: Monday, October 10, 2016 8:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] password length and required reset While I like their philosophy, I don’t like the specific guidance of four random words – it just sets a recipe for password cracking. Considering most people would choose the 1,000-2,000 most commonly used English words; it doesn’t take much to set up a dictionary and pattern for cracking. There was some good discussion of this point after the XKCD comic recommending this approach. At least the XKCD comic included a non-noun word, whereas the Stanford example uses all nouns. Is longer more secure than complex? Sure, it can be when the characters are semi-random, but using regular words can drastically change that math because you can’t use character-based calculations of entropy. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cid:image001.png@01D222D4.CBE613B0] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of randy <marchany () VT EDU<mailto:marchany () VT EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Monday, October 10, 2016 at 8:35 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] password length and required reset I heartily recommend using Stanford's new password requirements found at https://uit.stanford.edu/service/accounts/passwords/quickguide. It makes a lot of sense and is fairly easy for users to follow. One of my analysts has placed in the top 3 of the Crack Me If You Can for the past couple of years and he's been advocating that longer passwords are more secure than "complex" passwords. The Stanford model seems to follow that advice. We'll be moving toward that model in the next 18 months. Randy Marchany VA Tech IT Security Office and Lab "" On Mon, Oct 10, 2016 at 10:19 AM, Brad Judy <brad.judy () cu edu<mailto:brad.judy () cu edu>> wrote: Most of the services you mention offer opt-in, or mandatory, multifactor authentication and many have pretty advanced automated systems for detecting suspicious logins/activities. That said, the only reason I like limited password life for our industry is because it ensures people don’t use the same passwords for our systems as third-party systems. If you have to change your password once every 6-12 months at your EDU, it’s unlikely you run around changing your password elsewhere to match. At its root, password expiration is a control to address an undetected, unrepeatable compromise of credentials. If the attack is detected, you can force a password reset. If the attack is repeatable (like phishing or a keylogger), then the attacker can get the new password as well. Some of the origins are in the idea of an attacker stealing your password store and cracking it, but these days the more common version of the threat is someone stealing an external password store, cracking it and then using the email/password combo to attack their email account (and related accounts). If you want to have immortal passwords, then ask yourself what detection and response capabilities you have, as well as your options for stronger authentication mechanisms where appropriate. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293<tel:%28303%29%20860-4293> Fax: (303) 860-4302<tel:%28303%29%20860-4302> www.cu.edu<http://www.cu.edu> <http://www.cu.edu/> On 10/10/16, 7:09 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Mike Cunningham" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> on behalf of mike.cunningham () PCT EDU<mailto:mike.cunningham () PCT EDU>> wrote: Thanks for the feedback. How do you counter the argument that no other online service that requires passwords have any set time limit on a password, and they are sites with much more sensitive information. Bank sites, credit card sites, amazon, paypal, gmail, yahoo, Hotmail, outlook.com<http://outlook.com> phone companies, Netflix, etc. I can't think of any service that I have myself that requires me to change a password on a regular basis and that is how students view us, as just another online service. I am 100% in favor of employees needing to reset a password since their access gives them access to other peoples data but for students they only have access to their own data so password mismanagement only puts their own data at risk, just like on any of those other services. Mike Cunningham -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Boyd, Daniel Sent: Monday, October 10, 2016 8:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] password length and required reset You are correct in thinking that 12 characters will help. If you run passwords through most any analyzer, that 12th character adds a tremendous amount of time to the decryption process... but will not help if common phrases, titles, and sequences are used. We recently moved all faculty, staff and service accounts to a 90-day password reset cycle, with a history of 6. We are considering a minimum password age of 2 days, but have not implemented that change yet. We recommend the password to be a minimum of 8, but no longer than 13 characters (any longer and Office365 complains, at least as of August of this year) and cannot contain three consecutive characters of their username. It also must have a capital letter and a number or symbol. It has taken a number of years to push this policy amid lots of grumbling from staff and faculty. We got buy-in from administration by explaining our reasons for implementing, we communicated the change effectively to the community and so far, have not had significant backlash. We considered having two different policies for staff and faculty, but decided it was in everyone's best interest to enforce the stricter policy (whether they believed it or not). Students have all the same requirements except the max age for their password is 180 days. No issues there either, as this is explained at orientation. While it frustrates a tiny percentage, it is an acceptably low percentage. The key is effective communication and simple explanation of the reasons why this is important. Good luck with any changes you make. Dan Daniel H. Boyd (94C) Senior Network Architect Network Operations Information Security Advisory Group Chair Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!! 2. If unsure, consult rule #1 -----Original Message----- From: Mike Cunningham [mailto:mike.cunningham () PCT EDU<mailto:mike.cunningham () PCT EDU>] Sent: Friday, October 07, 2016 3:29 PM Subject: password length and required reset We current have a password length rule of 6 with a password expiration of 180 days. We are considering changing that to a length of 12 with a recommendation to use a pass phrase, and no expiration. Students can want to can change their password daily or never. We believe the longer length requirement will make the password so much stronger that the password reset is no longer needed. This change is for students ONLY. Employees will still have a password recent requirement. Thanks Mike Cunningham VP of Information Technology Services/CIO Pennsylvania College of Technology
Current thread:
- Re: password length and required reset, (continued)
- Re: password length and required reset Flynn, Gary - flynngn (Oct 10)
- Re: password length and required reset Mike Cunningham (Oct 10)
- Re: password length and required reset Flynn, Gary - flynngn (Oct 10)
- Re: password length and required reset Flynn, Gary - flynngn (Oct 10)
- Re: password length and required reset Flynn, Gary - flynngn (Oct 10)
- Re: password length and required reset randy (Oct 10)
- Re: password length and required reset Mike Cunningham (Oct 10)
- Re: password length and required reset Barnes, William (Oct 10)
- Re: password length and required reset Brad Judy (Oct 10)
- Re: password length and required reset Steven Alexander (Oct 10)
- Re: password length and required reset Dale Lee (Oct 10)
- Re: password length and required reset Brad Judy (Oct 10)
- Re: password length and required reset Steven Alexander (Oct 10)
- Re: password length and required reset Brad Judy (Oct 10)
- Re: password length and required reset randy (Oct 10)