Educause Security Discussion
mailing list archives
Re: Password length and complexity
From: "Rickard, Josh A." <rickardj () HEALTH MISSOURI EDU>
Date: Fri, 31 May 2013 17:41:10 +0000
Not really a document, but I've attached an Excel sheet that explains Password Complexity vs. Length. The other Excel
sheet is for Risk Analysis.
Both of these came from the SANS Sec505 (GCWM) course. I hope this helps.
System Support Analyst
School of Medicine
University of Missouri
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric
Sent: Friday, May 31, 2013 12:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password length and complexity
Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing
appropriate password length and complexity requirements? We're working on extending out password expiration period
significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want
to make sure we are using a sound rationale/reasons for the length we choose - backed up by some research.
Anyone know of useful studies/research results that could help guide our recommendations?
Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
eric at american.edu
AU IT will never ask for your password via e-mail.
Don't share your password with anyone!