Educause Security Discussion mailing list archives
Re: Stats re: passwords
From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Fri, 16 Oct 2009 13:09:55 -0400
Matthew Wollenweber wrote:
Generally speaking, most brute force programs, dictionaries, and cracking software are well suited to the rules Randy cited: "a) 8-16 characters b) upper/lower case c)at least 1 numeric d) at least 1 special character." Notably, Pa$$w0rd, Passw0rd!, and P@ssword1 are very common examples of how most people tend to cluster "complex" rules into easily guessable permutations. I tend use truly random passwords from a generator or those similar in style to what Don mentioned. -Matt
Occasional brute force audits aren't a bad thing. If you're using LDAP central auth, just take a dump from it and run John against it for a weekend. You'll be amazed how many cracks you get, even with the default dictionaries. I do this every month or so and sent out "you've got a weak password!" emails to everyone that gets cracked. And I'm so proud when they call me to confirm that I really sent the message. :) --Matt
On Fri, Oct 16, 2009 at 12:48 PM, Chris Kidd <chris.kidd () utah edu> wrote:It depends upon the purpose of the password rules. Are the rules to prevent others from guessing a password? If that's the case, either approach seems reasonable. However, password requirements should be part of an overall strategy that includes monitoring, lockouts, etc. Chris Chris Kidd 650 Komas Drive, Suite 102 Salt Lake City, UT 84108 Office: 801.587.9241 Cell: 801.747.9028 chris.kidd () utah edu http://www.secureit.utah.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Don M. Blumenthal Sent: Friday, October 16, 2009 10:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stats re: passwords One person that I know in the security community doesn't believe in password rules like these because they are a pain to type and could be forgotten, if nothing else wrt whether a letter is capitalized or not. Where the system allows long pws, he advocates long, easy to remember sentences, such as IhatestrongpasswordrulesmorethanIhateBrusselssprouts." Don -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany Sent: Friday, October 16, 2009 12:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stats re: passwords After reading Alison's note to the list about password rules, I'm sure that for most of us, the following password would be valid under standard password rules of a) 8-16 characters b) upper/lower case c) at least 1 numeric d) at least 1 special character. AaBbCcDd1234)(*& <sigh> Randy Marchany VA Tech IT Security Office
-- Matt Gracie (716) 888-8378 Information Security Administrator graciem () canisius edu Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- Stats re: passwords Allison Dolan (Oct 16)
- <Possible follow-ups>
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Don M. Blumenthal (Oct 16)
- Re: Stats re: passwords Chris Kidd (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)
- Re: Stats re: passwords John Lupton (Oct 19)