Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: Thu, 8 Jul 2004 15:53:30 -0500
Check for mac compatibility if you have macs, you'll want the MS UAM. Are you getting rid of LM and forcing NTLMv2 only? Look at how LC4/5 cracks are read up about the 7th/8th character issue. Length doesn't necessarily equal cracking difficulty. Study LC's options and their relation to cracking time. Look into Anixis PPE/PPC/APR for better enforcement in a windows environment and self-service. Its priced very reasonable and works like a champ. Prepare for the user revolt. Be prepared to defend every complexity rule you make. Think through your deployment/rollout carefully. A product like Anixis allows you to roll it out in groups. There was a very good study done by Cambridge on mnemonic devices and password complexities. I've attached the PDF, dunno if it will go through. Google... there's tons of pages out there about passwords, best practices, etc. Requiring complex passwords necessitates a self-service solution. I just went through this in our environment. We ran LC with the most basic setting (Dict/Username no brute) against our database for 13 months. We'd email those whose passwords were weak asking them to change it but had no real enforcement mechanism. We started at 19% weak, hit 10% in 6 months and then it stagnated. Hence the enforcement. Bryan Lucas Lead Server Administrator Texas Christian University (817) 257-6971 -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Todd Gunter Sent: Thursday, July 08, 2004 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] 15 character minimum passwords Has anyone adopted the use of 15 character minimum passwords? We are going to start using this password format when we migrate to Windows 2003. I was wondering if anyone has started to use this format and what, if any, issues you had using them? We see this as a simpler approach to passwords. Fifteen character password with complexity is simply 'Ihaveabigmouth.'. They are also supposed to much harder to crack. Please let me know your experiences with this move and any bumps in the road to look out for. Thanks, Todd :)> ----------------------------- Todd Gunter Director, Management Information Systems Information Technologies Project Manager 45 Ferry St Troy, NY 12180 guntet () sage edu (work email) 518-857-6754 (cell) 518-244-2088 (office) 518-244-2460 (fax) ~~~ "If you focus on quality today, it will, in the long term, pay benefits" ~~~ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
CambridgePWStudy.pdf
Description: CambridgePWStudy.pdf
Current thread:
- 15 character minimum passwords Todd Gunter (Jul 08)
- <Possible follow-ups>
- Re: 15 character minimum passwords Eric Pancer (Jul 08)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 08)
- Re: 15 character minimum passwords David Wall @ Yozons, Inc. (Jul 08)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Greg Jackson (Jul 09)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
(Thread continues...)