Re: Stats re: passwords

[John Lupton <lupton () ISC UPENN EDU>]

And an Aggie joke at that...

John Lupton (UT '74)

----------------------------------------------------
John T. Lupton
Sr. Information Security Specialist
University of Pennsylvania/Information Systems & Computing
lupton () upenn edu/215-573-3811




On Oct 16, 2009, at 6:09 PM, Wayne Samardzich wrote:

> It's a joke.
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> Sent: Friday, October 16, 2009 5:02 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Stats re: passwords
>
> On Fri, 16 Oct 2009 16:27:41 CDT, Willis Marti said:
> > During a recent password audit, it was found that one user was using
> > the following password:  MickeyMinniePlutoHueyLouieDeweyDonaldGoofy
>
> I call shenanigans.  *How* exactly was this found out?  What password
> cracker would actually try that combo - and not run so slowly trying  
> all
> *other* similar length password/phrase combos that it would be  
> useless?
>
> > When asked why such a big password, the user said that it had to be  
> > at
>
> > least
> > 8 characters long.
>
> It *does* make for a good story though. ;)
>
> The problem is that good stories usually end up growing up to become
> urban legends, and then somebody sets policy based on it, without any
> real thought about things like "is it really plausible to break a 40+
> character password in realistic time?".
>
> This is probably a good time to suggest that everybody go back and
> re-read Gene Spafford's blog postings on forced expiration/changing of
> passwords, and the threat models it used to defend against, and the
> actual threat models we face now.  A keystroke logger doesn't care  
> about
> password complexity rules....