Re: 15 character minimum passwords

[Wayne Wilson <wwilson () UMICH EDU>]

It seems to me that as many people have commented, password length is
just one dimension of a multi-dimensional system.  In the overall system
we have people using computers and somewhere along each dimension
trade-off's are made with regards to people using computers productively
and the risks of such computer use being compromised.

Some of the other dimensions are:

age of password
ease of typing
account lockout
number of passwords in use
time of day restrictions
location restrictions

How many people make typing errors on longer or  short complex passwords?

How many times does account lockout lead to denial of service compared
to how many times it prevents a brute force attack?

Just how deteriorated do passwords become as they age?

and so on are just some of the questions one would want to ask before
making a tradeoff.

With few exceptions, the data on these things is missing.  Good
tradeoffs are hard to make in the absence of knowledge about their impacts.

For example, in my own work, I have spent a known amount of time dealing
with denial of service from account lockout, yet I have no corresponding
data to tell me how many brute force attacks were rejected or even the
general incidence of such attacks against these systems.

So much of this stuff get's done because no one wants to say they didn't
do something that was available to be done, or the auditor's report
finds you didn't follow the list of security common practices, or folk
wisdom they used.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.