Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: Greg Jackson <gjackson () UCHICAGO EDU>
Date: Fri, 9 Jul 2004 08:23:29 -0500
The problem, I think, is that limits on incorrect password guesses create a problem of their own: they become the obvious mechanism for simple denial-of-service attacks aimed at individuals or, in some cases, entire user sets for the host in question. So my sense is that limits on guesses -- that is, lockout policies -- are declining in attractiveness. Crackability, which arguably had been solved by lockout policies, thus becomes important once again. That said, it's important to distinguish between rational guessing strategies -- trying blank passwords, passwords set to "password", passwords set to the username or the user's name, etc -- and brute-force dictionary or pattern attacks. Regardless of how one deals with the latter, it's critical to have policies and mechanisms to prevent users from using stupid passwords. At 08:05 AM 7/9/2004, you wrote:
if you have a limit on incorrect password guesses then going from 8 to 15 characters makes no difference to fighting a guessing attack
==== gj / VP&CIO ==== The University of Chicago ==== 5801 South Ellis #605, Chicago IL 60637 ==== 773-702-2828 voice, 773-834-2829 fax ==== http://gjackson.uchicago.edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- 15 character minimum passwords Todd Gunter (Jul 08)
- <Possible follow-ups>
- Re: 15 character minimum passwords Eric Pancer (Jul 08)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 08)
- Re: 15 character minimum passwords David Wall @ Yozons, Inc. (Jul 08)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Greg Jackson (Jul 09)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)
- Re: 15 character minimum passwords Leslie Maltz (Jul 09)
- Re: 15 character minimum passwords Jim Loter (Jul 09)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
(Thread continues...)