Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Password length and complexity
From: "Rickard, Josh A." <rickardj () HEALTH MISSOURI EDU>
Date: Fri, 31 May 2013 17:41:10 +0000

Not really a document, but I've attached an Excel sheet that explains Password Complexity vs. Length.  The other Excel 
sheet is for Risk Analysis.

Both of these came from the SANS Sec505 (GCWM) course.  I hope this helps.


Josh Rickard
System Support Analyst
School of Medicine
University of Missouri

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Sent: Friday, May 31, 2013 12:08 PM
Subject: [SECURITY] Password length and complexity


Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing 
appropriate password length and complexity requirements?  We're working on extending out password expiration period 
significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want 
to make sure we are using a sound rationale/reasons for the length we choose - backed up by some research.

Anyone know of useful studies/research results that could help guide our recommendations?


Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu

AU IT will never ask for your password via e-mail.
Don't share your password with anyone!

Attachment: Passphrase_Length_vs_Complexity.xls
Description: Passphrase_Length_vs_Complexity.xls

Attachment: Practical_Risk_Analysis_and_Threat_Modeling_v.1.0.xls
Description: Practical_Risk_Analysis_and_Threat_Modeling_v.1.0.xls

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]