Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: "David Wall @ Yozons, Inc." <david.wall () YOZONS COM>
Date: Thu, 8 Jul 2004 17:12:34 -0700
Prepare for the user revolt. Be prepared to defend every complexity rule you make. Think through your deployment/rollout carefully.
Yeah, 15 character passwords is quite a chore. Just accurately typing in that many characters without being able to see them will be hard for many users. Since this is a workstation login, you don't have as many options, but our web-based service allows for pass phrases up to 50 characters (very few seem to make use of more than 8-10 characters, but since they're not stored besides long SHA-1 hashes, it's impossible to really know by viewing the password record), we are able to lock users out for 5 minutes after 3 failed attempts, and we can even send them an email as a secondary alert in case another party is trying to guess their password. Brute force attacks are much harder to do when a password cannot be repeated tested, and after just 3 attempts, the user is also notified that someone is trying to access the account. To date, we've never received a single report of someone having hacked a user's password. In general, we've found the same problems when using things like a secure id token, since most still require a pin/password (what you have + what you know). The tokens get lost, or they foget the pin, or the leave the token at home, or the leave the token in their desk, and some will even write the pin on the back of the token! And then there's the token exchange, in which a user is in a meeting or otherwise cannot do something that they have permission to do, but the task must be done, so they give their token+pin to an associate to get their job done. It seems the more you try to lock it down, the less secure things become! And we're not even talking about social engineering attacks (the basis of most viruses and phishing attacks) that tend to weaken security sometimes to the absurd level. So, before you switch 15 character passwords, make sure you actually have a problem with people breaking into short password accounts. Many people seem to implement security without even having a problem. Sure, you don't want to be a victim before you take good steps, but a quality 8 character password with some lock out periods for repeated errors and the like will probably give you more protection than you'll need. David ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- 15 character minimum passwords Todd Gunter (Jul 08)
- <Possible follow-ups>
- Re: 15 character minimum passwords Eric Pancer (Jul 08)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 08)
- Re: 15 character minimum passwords David Wall @ Yozons, Inc. (Jul 08)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Greg Jackson (Jul 09)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)
(Thread continues...)