Re: Student paper "editorial" on robust passwords

["Lucas, Bryan" <b.lucas () TCU EDU>]

You can argue that a more complex password doesn't need to be changed as
often because its less likely to be guessed (i.e. compromised).
However, I would argue against that logic because it ignores one of the
major benefits to password expiration.

Assume a staff person's password has been compromised.  A good hacker
will do as little as possible to give away his presence, in other words
if he has compromised your password it may be unlikely that you know
about it.  A password expiration forces him to either crack another
password or perform a more noticeable action (create a new account,
install a keylogger, etc). 

Bryan Lucas
Lead Server Administrator
Texas Christian University
(817) 257-6971


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Arlene Yetnikoff
Sent: Thursday, September 23, 2004 2:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student paper "editorial" on robust passwords


Long ago, on a less distributed type of system, a system administrator
that I knew decided to use a feature of his security software which
required passwords to be of a certain pattern.  The theory was if your
system randomly generates a password with a certain pattern of
consonants and  vowels, it will be pronounceable and users will not feel
the need to write it down.  The catch was that if a user knew that
pattern required and chose a password himself that fit the pattern, the
system would not force a randomly-generated password on the user, but
allow him to use the password he chose.

Not surprisingly, the pattern was detected very quickly.  One user, in
an effort to be helpful, wrote a program which generated several hundred
pattern-fitting passwords and distributed his list to the entire IT
department.  The list was helpful and people hung it in cubes and other
places.

The system administrator soon found that most of his users' passwords
had been chosen from the first ten or so on the list.

I hope that doesn't happen here.  :-)

But this is an issue we're thinking about here also.  What type of
tradeoffs are other institutions making on password complexity vs.
expiration interval?  I'd love to hear the collected wisdom of the
populace on this one.

thanks,

Arlene Yetnikoff

> > > updegrove () MAIL UTEXAS EDU 09/23/04 11:03AM >>>
Colleagues,


I thought you'd be amused by this "editorial," in today's Daily Texan
(the student paper) in response to our new policy to require robust
passwords.

Dan Updegrove


Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.