Re: 15 character minimum passwords

["Lucas, Bryan" <b.lucas () TCU EDU>]

Check for mac compatibility if you have macs, you'll want the MS UAM.
Are you getting rid of LM and forcing NTLMv2 only? 
Look at how LC4/5 cracks are read up about the 7th/8th character issue. 
Length doesn't necessarily equal cracking difficulty.  
Study LC's options and their relation to cracking time.
Look into Anixis PPE/PPC/APR for better enforcement in a windows
environment and self-service.  Its priced very reasonable and works like
a champ. 
Prepare for the user revolt.  Be prepared to defend every complexity
rule you make.  Think through your deployment/rollout carefully.  A
product like Anixis allows you to roll it out in groups. There was a
very good study done by Cambridge on mnemonic devices and password
complexities.  I've attached the PDF, dunno if it will go through.
Google... there's tons of pages out there about passwords, best
practices, etc.  Requiring complex passwords necessitates a self-service
solution.

I just went through this in our environment. We ran LC with the most
basic setting (Dict/Username no brute) against our database for 13
months.  We'd email those whose passwords were weak asking them to
change it but had no real enforcement mechanism.  We started at 19%
weak, hit 10% in 6 months and then it stagnated.  Hence the enforcement.

Bryan Lucas
Lead Server Administrator
Texas Christian University
(817) 257-6971


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Todd Gunter
Sent: Thursday, July 08, 2004 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 15 character minimum passwords


Has anyone adopted the use of 15 character minimum passwords?

We are going to start using this password format when we migrate to
Windows 2003.  I was wondering if anyone has started to use this format
and what, if any, issues you had using them?

We see this as a simpler approach to passwords.  Fifteen character
password with complexity is simply 'Ihaveabigmouth.'.  They are also
supposed to much harder to crack.

Please let me know your experiences with this move and any bumps in the
road to look out for.

Thanks,
Todd :)>



-----------------------------
Todd Gunter
Director, Management Information Systems
Information Technologies Project Manager
45 Ferry St
Troy, NY 12180
guntet () sage edu (work email)
518-857-6754 (cell)
518-244-2088 (office)
518-244-2460 (fax)
~~~ "If you focus on quality today, it will, in the long term, pay
benefits" ~~~

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: CambridgePWStudy.pdf
Description: CambridgePWStudy.pdf