Educause Security Discussion mailing list archives

Re: Password strength

From: Valdis Kletnieks <valdis.kletnieks () VT EDU>
Date: Thu, 26 Oct 2017 13:30:56 -0400

On Thu, 26 Oct 2017 17:17:13 -0000, Dale Lee said:

The only way that I know to audit password strength is to reverse/crack the password.


The other way is to implement going forward some software to check for password
strength when the user is changing their password - so it should be impossible for
new weak passwords to be set.  Example: pam_cracklib for Linux boxes, not sure what
the equivalent is for Windows.

And then force a password change for everybody.  (Though I'd recommend that you
don't force a flag-day change because that leads to your help desk staff
forming a tar-and-feather group heading to your office, but rather something
like 4% of your userids every Tuesday morning for the next 25 weeks...)

Attachment: _bin
Description:

Current thread:

Password strength WALTER KERNER (Oct 26)
- Re: Password strength Mccormick, Kevin (Oct 26)
  - Re: Password strength Dale Lee (Oct 26)
    - Re: Password strength Valdis Kletnieks (Oct 26)
    - Re: Password strength Taylor Randle (Oct 26)
- <Possible follow-ups>
- Re: Password strength Rich Graves (Oct 26)
- Re: Password strength Joseph Tam (Oct 26)