Educause Security Discussion mailing list archives
Re: Password policy
From: "Penn, Blake" <pennb () UWW EDU>
Date: Thu, 2 Nov 2006 09:06:59 -0600
You can also use GPOs or registry entries to enforce NTLM-family hashes if passphrases and/or long passwords are not politically feasible in your organization and/or if you want to enforce stronger hashes universally (particularly if you don't need to support legacy Windows systems in a domain environment). But, if your hashes are unprotected you are in for other problems anyway! http://support.microsoft.com/kb/299656 ____________________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security/ ________________________________ From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] Sent: Wednesday, November 01, 2006 6:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy Just wondering - why is 8 characters often used as a common length for passwords. My understanding is that it is because older unix systems had a maximum password length of 8 characters so, if no more than that reason alone, 8 characters is a convention for a lot of windows users. Maybe because it's simpler than telling users to have an 8-character password limit for unix accounts but a longer character limit for windows accounts. I thought that if a windows password is at least 15-characters long, it won't be stored using the LM hash (which is easier to crack because it breaks the password into seven-character chunks and also makes everything upper-case). For sensitive windows systems, therefore, we use a minimum 15-character passphrase. Harold
Attachment:
smime.p7s
Description:
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)