Educause Security Discussion mailing list archives

Re: 15 character minimum passwords

From: "David Wall @ Yozons, Inc." <david.wall () YOZONS COM>
Date: Thu, 8 Jul 2004 17:12:34 -0700

Prepare for the user revolt.  Be prepared to defend every complexity
rule you make.  Think through your deployment/rollout carefully.

Yeah, 15 character passwords is quite a chore. Just accurately typing in
that many characters without being able to see them will be hard for many
users.

Since this is a workstation login, you don't have as many options, but our
web-based service allows for pass phrases up to 50 characters (very few seem
to make use of more than 8-10 characters, but since they're not stored
besides long SHA-1 hashes, it's impossible to really know by viewing the
password record), we are able to lock users out for 5 minutes after 3 failed
attempts, and we can even send them an email as a secondary alert in case
another party is trying to guess their password. Brute force attacks are
much harder to do when a password cannot be repeated tested, and after just
3 attempts, the user is also notified that someone is trying to access the
account. To date, we've never received a single report of someone having
hacked a user's password.

In general, we've found the same problems when using things like a secure id
token, since most still require a pin/password (what you have + what you
know). The tokens get lost, or they foget the pin, or the leave the token
at home, or the leave the token in their desk, and some will even write the
pin on the back of the token! And then there's the token exchange, in which
a user is in a meeting or otherwise cannot do something that they have
permission to do, but the task must be done, so they give their token+pin to
an associate to get their job done.

It seems the more you try to lock it down, the less secure things become!
And we're not even talking about social engineering attacks (the basis of
most viruses and phishing attacks) that tend to weaken security sometimes to
the absurd level.

So, before you switch 15 character passwords, make sure you actually have a
problem with people breaking into short password accounts. Many people seem
to implement security without even having a problem. Sure, you don't want
to be a victim before you take good steps, but a quality 8 character
password with some lock out periods for repeated errors and the like will
probably give you more protection than you'll need.

David

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

15 character minimum passwords Todd Gunter (Jul 08)
- <Possible follow-ups>
- Re: 15 character minimum passwords Eric Pancer (Jul 08)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 08)
- Re: 15 character minimum passwords David Wall @ Yozons, Inc. (Jul 08)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Greg Jackson (Jul 09)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)

(Thread continues...)