Educause Security Discussion mailing list archives
Re: Student paper "editorial" on robust passwords
From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: Thu, 23 Sep 2004 14:35:09 -0500
You can argue that a more complex password doesn't need to be changed as often because its less likely to be guessed (i.e. compromised). However, I would argue against that logic because it ignores one of the major benefits to password expiration. Assume a staff person's password has been compromised. A good hacker will do as little as possible to give away his presence, in other words if he has compromised your password it may be unlikely that you know about it. A password expiration forces him to either crack another password or perform a more noticeable action (create a new account, install a keylogger, etc). Bryan Lucas Lead Server Administrator Texas Christian University (817) 257-6971 -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Arlene Yetnikoff Sent: Thursday, September 23, 2004 2:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Student paper "editorial" on robust passwords Long ago, on a less distributed type of system, a system administrator that I knew decided to use a feature of his security software which required passwords to be of a certain pattern. The theory was if your system randomly generates a password with a certain pattern of consonants and vowels, it will be pronounceable and users will not feel the need to write it down. The catch was that if a user knew that pattern required and chose a password himself that fit the pattern, the system would not force a randomly-generated password on the user, but allow him to use the password he chose. Not surprisingly, the pattern was detected very quickly. One user, in an effort to be helpful, wrote a program which generated several hundred pattern-fitting passwords and distributed his list to the entire IT department. The list was helpful and people hung it in cubes and other places. The system administrator soon found that most of his users' passwords had been chosen from the first ten or so on the list. I hope that doesn't happen here. :-) But this is an issue we're thinking about here also. What type of tradeoffs are other institutions making on password complexity vs. expiration interval? I'd love to hear the collected wisdom of the populace on this one. thanks, Arlene Yetnikoff
updegrove () MAIL UTEXAS EDU 09/23/04 11:03AM >>>
Colleagues, I thought you'd be amused by this "editorial," in today's Daily Texan (the student paper) in response to our new policy to require robust passwords. Dan Updegrove Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Student paper "editorial" on robust passwords Dan Updegrove (Sep 23)
- <Possible follow-ups>
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords Gordon D. Wishon (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ron Parker (Sep 23)
- Re: Student paper "editorial" on robust passwords Arlene Yetnikoff (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ryan Matteson (Sep 23)
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords David L. Wasley (Sep 24)
- Re: Student paper "editorial" on robust passwords Kevin Shalla (Sep 24)