Educause Security Discussion mailing list archives
Re: Password length and complexity
From: Alan Stockdale <astockdale () EDC ORG>
Date: Fri, 31 May 2013 16:05:11 -0400
If you sat down you could come up with a very long list of companies (Sony, LinkedIn, etc.) that had their password databases stolen and were storing their passwords using SHA1 or something similar (or just plain text). Lots of developers have never heard of OWASP or don't give a hoot about OWASP so there are lots of sites with improper password storage and all sorts of site vulnerabilities. For one of the latest see: https://www.livingsocial.com/createpassword. For commentary on the company's PR regarding SHA1 see: http://arstechnica.com/security/2013/04/why-livingsocials-50-million-password-breach-is-graver-than-you-may-think/ It is probably a safe bet that most of your users are using the same or slightly modified password for everything so when one of these sites is compromised so are all their accounts. Not sure there are any good options. To use a unique password for everything you've probably got to get users to use a password manager (KeePass, LastPass, etc.). Or if you force a change of password every 90 days that might help but you know they'll only change the last digit...Two factor. [cid:edc_logo123e3af]<http://www.edc.org> EDCInc On 5/31/2013 3:20 PM, Shalla, Kevin wrote: Yeah, it sounds scary, but don’t most systems protect the password file so that hackers don’t have easy attack access? Or are we to assume that attackers have easy access to our password files? If that’s the case, then we probably all need to convert to two or three factor authentication, including tokens or biometrics. Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Irish, Adrian L Sent: Friday, May 31, 2013 12:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password length and complexity This is not scholarly, but certainly technical, and eye opening (at least for me): Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ Adrian Adrian Irish IT Security Officer The University of Montana SS 102 Missoula, MT 59812 (406) 243-6375 adrian.irish () umontana edu<mailto:adrian.irish () umontana edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Weakland Sent: Friday, May 31, 2013 11:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Password length and complexity Greetings, Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing appropriate password length and complexity requirements? We're working on extending out password expiration period significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want to make sure we are using a sound rationale/reasons for the length we choose - backed up by some research. Anyone know of useful studies/research results that could help guide our recommendations? Best, Eric Weakland, CISSP, CISM, CRISC Director, Information Security Office of Information Technology American University eric at american.edu 202.885.2241 ______________________________________ AU IT will never ask for your password via e-mail. Don't share your password with anyone! -- Alan Stockdale, Ph.D. Education Development Center 43 Foundry Avenue, Waltham, MA 02453-8313 Work: 617 618 2731 Fax: 617 969 3401 E-mail: astockdale () edc org<mailto:astockdale () edc org> Web: http://www.edc.org/
Current thread:
- Re: Question About Password Resets, (continued)
- Re: Question About Password Resets David Curry (May 16)
- Re: Question About Password Resets David Seidl (May 16)
- Re: Question About Password Resets Valdis Kletnieks (May 16)
- Re: Question About Password Resets Schumacher, Adam J. (May 17)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Rickard, Josh A. (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Irish, Adrian L (May 31)
- Re: Password length and complexity Shalla, Kevin (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Pete Hickey (May 31)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Steven Alexander (May 31)
- Re: Password length and complexity Tim Doty (May 31)
- Job Opening Willis Marti (Jun 09)
- Re: Job Opening Casey Thomas (Jun 09)