Home page logo

basics logo Security Basics mailing list archives

Re: Suggested "safe" password length
From: "Simon Gray" <simong () desktop-guardian com>
Date: Fri, 14 Nov 2003 11:30:27 -0000


I wanted to have an idea about what should be the suggested range of
password lengths and if there is any upper bound.
I was told that there is a range upto which your password is encrypted
and beyond which the characters are futile. I work on a linux environment
with md5 encryption of passwords enabled.

I would of thought at least 8-10 characters (this does depend on what the
password is authenticating you to? (Nuclear reactor? or your gym locker?))
You may want to enforce say at least 1 numeric, and 1 uppercase and maybe 1
lower case in that. Should also try to get your users to avoid using
dictionary words, even such as hell0, or fr3d etc.. Something like
'IQyJ$4)xv&' or 'z46he+^6**' would be a pretty strong password since it has
no real relevance to anything, however remembering that could be
interesting. That's the price you've got to pay for password security.

Hope this helps.


Simon Gray
Desktop Guardian Ltd

Developers of Identrica
mobile phone based authentication

The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]