Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Publishing password rules
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 6 Nov 2008 08:27:48 -0700

 A key component of password strength is entropy. Running English text has extremely low entropy which is why, for 
example, plain text can be compressed so well. Thus, when considering password strength as a function of bit-strength, 
a long passphrase of simple words is quite weak. Passphrases also have end-user challenges -- namely typing a long 
string of characters the user can't see without making a typo, etc.

Brian Basgen
Information Security
Pima Community College

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally
Sent: Thursday, November 06, 2008 7:16 AM
Subject: Re: [SECURITY] Publishing password rules

I like the idea of a "password phrase".  Complex passwords are hard to
type and hard to remember.  A simple silly phrase such as "The cow is
all red" is easy to remember, type and its 18 chars.  It is also very
easy to add complexity by simply misspelling a word adding a period
etc...  I think that when it comes to strong passwords, length is
better than complexity.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff Nathan
Sent: Wednesday, October 29, 2008 9:46 AM
Subject: [SECURITY] Publishing password rules

A week or so ago I asked for opinions on whether publishing strong
password standards constituted a security risk.  The background for
this is that we have just instituted increased strength requirements
(minimum eight characters, at least one upper case and at least one
numeral, no obvious matches--dictionary, accessID etc.)  We’ve now had
to back off a little because of *&#$%&!! Oracle limitations that forbid
non-alphanumeric characters (well, most of them).
As part of this we’ve been debating whether we should publish the rules
or let users play twenty questions.  I personally favor publishing the
requirements behind some authentication wall, such as the password
change page.  By a large majority (12-3) the folks who responded to my
question agreed.  Several pointed out that eight characters was
probably too weak to make any difference, and, in general I agree, but
bumping that number up would not fly here at the moment, especially
given a six-month expiry cycle.
Many thanks to the following for the responses:

Valdis Kletnieks
Roger Safian
Steven Alexander
Vijaya Sastry
Adam Nave
Tim Doty
Alex Everett
Bill Terry
Bob Bayn
Brian Basgen
Jack Suess
Conor McGrath
Jim Rizzo
Gary Dobbins
Joel Rosenblatt

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Associate Professor, Linguistics Program
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]