Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password length and complexity

From: Alan Stockdale <astockdale () EDC ORG>
Date: Fri, 31 May 2013 16:05:11 -0400
If you sat down you could come up with a very long list of companies (Sony, LinkedIn, etc.) that had their password databases 
stolen and were storing their passwords using SHA1 or something similar (or just plain text). Lots of developers have never heard 
of OWASP or don't give a hoot about OWASP so there are lots of sites with improper password storage and all sorts of site 
vulnerabilities. For one of the latest see: https://www.livingsocial.com/createpassword. For commentary on the company's PR 
regarding SHA1 see: 
http://arstechnica.com/security/2013/04/why-livingsocials-50-million-password-breach-is-graver-than-you-may-think/

It is probably a safe bet  that most of your users are using the same or slightly modified password for everything so when one of 
these sites is compromised so are all their accounts. Not sure there are any good options. To use a unique password for 
everything you've probably got to get users to use a password manager (KeePass, LastPass, etc.). Or if you force a change of 
password every 90 days that might help but you know they'll only change the last digit...Two factor.




[cid:edc_logo123e3af]<http://www.edc.org>
EDCInc

On 5/31/2013 3:20 PM, Shalla, Kevin wrote:
Yeah, it sounds scary, but don’t most systems protect the password file so that hackers don’t have easy attack access? 
Or are we to assume that attackers have easy access to our password files?  If that’s the case, then we probably all 
need to convert to two or three factor authentication, including tokens or biometrics.

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Irish, 
Adrian L
Sent: Friday, May 31, 2013 12:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password length and complexity

This is not scholarly, but certainly technical, and eye opening (at least for me):

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Adrian

Adrian Irish
IT Security Officer
The University of Montana
SS 102
Missoula, MT 59812
(406) 243-6375

adrian.irish () umontana edu<mailto:adrian.irish () umontana edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Weakland
Sent: Friday, May 31, 2013 11:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Password length and complexity

Greetings,

Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing 
appropriate password length and complexity requirements?  We're working on extending out password expiration period 
significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want to 
make sure we are using a sound rationale/reasons for the length we choose - backed up by some research.

Anyone know of useful studies/research results that could help guide our recommendations?

Best,


Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu
202.885.2241

______________________________________
AU IT will never ask for your password via e-mail.
Don't share your password with anyone!



--
Alan Stockdale, Ph.D.
Education Development Center
43 Foundry Avenue, Waltham, MA 02453-8313
Work: 617 618 2731
Fax: 617 969 3401
E-mail: astockdale () edc org<mailto:astockdale () edc org>
Web: http://www.edc.org/

Previous By Date Next
Previous By Thread Next

Current thread: