Educause Security Discussion mailing list archives
Re: password vs pass-phrase (was: Are users right in rejecting security advice?)
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Thu, 18 Mar 2010 08:49:15 -0500
My thoughts on the password issue are varied, and have evolved over time. We need passwords. At the moment they're the only acceptable tool for securing a variety of assets. I'm hopeful at some point another technology will replace or augment the password. That being said, the password has a variety of well known weaknesses. I believe that we need to balance the risk of password exposure with the needs and wants of our communities. My experience is that users are not fond of passwords. Trying to implement a solution that is not popular will encourage work arounds. I assume that a academic environment will compound this issue. I'm starting to be convinced that the concept of password strength is less useful. When I started here, a six character, upper case, password was for all practical purposes uncrackable. Faster computers, coupled with low cost specialty equipment and rainbow tables has now driven the password length needed to resist cracking to, what I believe are, unacceptable lengths for most of our community. I see two main risks we are trying to address. Password cracking, and the unintentional exposure of the password. (shoulder surfing) The cracking issue might be better addressed by providing additional resources to protect and/or monitor critical systems, such that if the hashes were exposed we could quickly react to that by enforcing a change. Surfing can be mitigated by length and education of users. In my mind, the recent discussion about length needs to focus on a particular risk. I concede that the arguments about length and entropy are correct. I'm suggesting the argument is not as relivant. Perhaps we need to enforce password rules based on the risk we are trying to protect. Perhaps the typical user can get by with a minimum password length of X, but users who have access to more vital assets, need a length of 3X or some additional authentication mechanism. I like the idea of changing the password with some frequency. What the frequency should be, I'm still trying to work out. The reason I prefer some sort of regularly scheduled password change is that if a password is compromised the change may secure that asset again. I'm just thinking out loud here. I do know that passwords are a sensitive issue in my community, and my community is unlikely to acquiesce to significant lengthening of the minimum. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 467-6437 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 17)
- <Possible follow-ups>
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Allison Dolan (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Zach Jansen (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Valdis Kletnieks (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Roger Safian (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 18)