nanog mailing list archives
Re: AD and enforced password policies
From: Steven Bellovin <smb () cs columbia edu>
Date: Mon, 2 Jan 2012 20:45:29 -0500
On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote:
On Mon, Jan 2, 2012 at 22:32, Jimmy Hess <mysidia () gmail com> wrote: ....The sole root cause for "easily guessable passwords" is not lack of technical restrictions. It's also: lazy or limited memory humans who need passwords that they can remember. Firstname1234! is very easy to guess, and meets complexity and usual length requirements.Obligatory xkcd reference: http://xkcd.com/936/
Thanks; you saved me the trouble. There's a discussion of the topic going on right now on a cryptography mailing list; check out http://lists.randombit.net/mailman/listinfo/cryptography if you want. Also see my (mostly tongue in cheek) blog post at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-27.html and the very serious followup at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-28.html I should add that except for targeted attacks, strong passwords are greatly overrated; neither phishing attacks nor keystroke loggers care how good your password is. I just went through some calculations for a (government) site that has the following rules: Minimum Length : 8 Maximum Length : 12 Maximum Repeated Characters : 2 Minimum Alphabetic Characters Required : 1 Minimum Numeric Characters Required : 1 Starts with a Numeric Character No User Name No past passwords At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`! Under the plausible assumption that very many people will start with a string of digits, continue with a string of lower-case letters to reach seven characters, and then add a period, there are only ~5,000,000,000 choices. That's not many at all -- but the rules look just fine... --Steve Bellovin, https://www.cs.columbia.edu/~smb
Current thread:
- Re: AD and enforced password policies, (continued)
- Re: AD and enforced password policies Tim Franklin (Jan 03)
- Re: AD and enforced password policies Måns Nilsson (Jan 04)
- Re: AD and enforced password policies Randy Bush (Jan 03)
- Re: AD and enforced password policies Todd Underwood (Jan 03)
- Re: AD and enforced password policies Steven Bellovin (Jan 03)
- RE: AD and enforced password policies Jones, Barry (Jan 05)
- Re: AD and enforced password policies Gary Buhrmaster (Jan 03)
- Re: AD and enforced password policies Jimmy Hess (Jan 03)
- Re: AD and enforced password policies Måns Nilsson (Jan 04)
- Re: AD and enforced password policies Steven Bellovin (Jan 02)
- Re: AD and enforced password policies Lyndon Nerenberg (Jan 02)
- Re: AD and enforced password policies Steven Bellovin (Jan 02)
- Re: AD and enforced password policies Jimmy Hess (Jan 02)