Re: Who is using Passphrase over 16 characters

["Gregory, Christopher" <CGREGORY () HWS EDU>]

Hello Cathy,
We have stuck with the NIST guidelines (8 character minimum) and focused on a defense-in-depth approach in hopes a 
compromised password is less likely to cause a full-blown breach. In our experience, passwords are most likely to be 
compromised through some other vector (phishing...<sigh>) rather than guessed or brute-forced, thus negating the 
effectiveness of length/complexity.

Our mitigation approach consists of account lockout on every system that will support it, and we are pushing all on 
premise and cloud services to MFA as quickly as our populations can stomach it. We also try - with mixed results - to 
"encourage" participation in security awareness training.

I think the password policy approach an org takes is much like the, "What's better, Coke or Pepsi" argument. Yes, 
password phrases are certainly preferred as they can be longer and are easier to remember, but I'm of the (perhaps 
unpopular) opinion that long passwords - unless they are complex and non-dictionary - create more risks than they 
mitigate.

For those of you going 12+ characters, do you enforce password history/uniqueness? Complexity?

Have a quiet weekend,
Chris

Christopher Gregory | CCIE, CISSP
Network & Cyber Security Architect
Hobart and William Smith Colleges

From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake Brown
Sent: Thursday, September 3, 2020 5:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Who is using Passphrase over 16 characters

We are using a minimal of 12+ here but would also like to move to 16+ passphrase in the next year or so.

~Blake

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Cathy Hubbs <hubbs () AMERICAN EDU<mailto:hubbs () AMERICAN EDU>>
Sent: Thursday, September 3, 2020 2:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Who is using Passphrase over 16 characters

External Email

Hi all,

We have been supporting 2 password policies for several years and would like to move to 1 (the 16+ character 
passphrase).  Wondering how many of you have adopted a longer/stronger passphrase policy?

For ease of response - anyone using passphrase policy requiring at least 12 characters?



Feel free to contact me off list if you prefer.



Cathy



Cathy Hubbs

Chief Information Security Officer

American University

Washington DC





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community