Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: Wayne Wilson <wwilson () UMICH EDU>
Date: Fri, 9 Jul 2004 12:35:01 -0400
It seems to me that as many people have commented, password length is just one dimension of a multi-dimensional system. In the overall system we have people using computers and somewhere along each dimension trade-off's are made with regards to people using computers productively and the risks of such computer use being compromised. Some of the other dimensions are: age of password ease of typing account lockout number of passwords in use time of day restrictions location restrictions How many people make typing errors on longer or short complex passwords? How many times does account lockout lead to denial of service compared to how many times it prevents a brute force attack? Just how deteriorated do passwords become as they age? and so on are just some of the questions one would want to ask before making a tradeoff. With few exceptions, the data on these things is missing. Good tradeoffs are hard to make in the absence of knowledge about their impacts. For example, in my own work, I have spent a known amount of time dealing with denial of service from account lockout, yet I have no corresponding data to tell me how many brute force attacks were rejected or even the general incidence of such attacks against these systems. So much of this stuff get's done because no one wants to say they didn't do something that was available to be done, or the auditor's report finds you didn't follow the list of security common practices, or folk wisdom they used. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: 15 character minimum passwords, (continued)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)
- Re: 15 character minimum passwords Leslie Maltz (Jul 09)
- Re: 15 character minimum passwords Jim Loter (Jul 09)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Wayne Wilson (Jul 09)
- Re: 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)