Educause Security Discussion mailing list archives
Re: Password entropy
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Mon, 24 Jul 2006 08:46:57 -0500
Gene & Valdis - Thanks for your well considered posts. I do have some other questions. A little background may help. I have two goals that I would like to achieve passphrases that are likely to resist attacks for a period of time. Let's call that period a year, but it's not clear at the moment. The other is I would like a passphrase policy that the users are comfortable with. It's pretty clear that users do not buy into the letter substitution passphrase. (My users don't like this! == Mudlt!) which is what we are currently recommending. I know this because I have spent a great deal of time over the last couple of years cracking their passphrases. At the moment we're working on technologies that will allow us to remove our current length restrictions. This provides us the opportunity for change, that could help with both of those goals. I am leaning towards suggesting that people use short sentences as their passphrase. Having them add a special character, numeral, case change, or a miss-spell a word would be part of the suggestions. We could also enforce those options if we chose, although I would like to take as light a touch as possible. Users with access to sensitive data and or privileges would have additional policy restrictions and or secondary authentication tokens. Now, on to the questions. Am I correct in my understanding that "this passphrase" is not as strong as "thispassphrase", even though the first is longer? Does running the words together help at all? FWIW - At the moment I a considering a recommendation of a 12 character minimum. I'd like to get longer, but I am not sure the additional resistance from the non-privileged users will be worth it. Especially if we can tie the idea of personal responsibility into their choices. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
- Re: Password entropy James H Moore (Jul 23)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Robert Kerr (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Basgen, Brian (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Jimmy Kuo (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Roger Safian (Jul 25)
- Re: Password entropy Basgen, Brian (Jul 25)
- Re: Password entropy Alan Amesbury (Jul 25)
(Thread continues...)