Security Basics mailing list archives

Password statistics and standards

From: samhenry () mnsam com
Date: Fri, 13 Oct 2006 23:02:56 -0400 (EDT)

Hi group.....
I am new and this is my first post.

In a Novell environment NDS/Edir I utilize a tool called DSRazor to pull
information about accounts which is helpful in telling me how accounts are
configured-- Tells me password length settings, and if Null passwords are
allowed for every account.

What I really want to obtain is information on how complex my users actual
passwords are. Sure the majority of accounts are configured for 5
characters but how many actually are only 5 characters...

Obviously I DON'T want to see the passwords if that can be acheived, but I
would like statistics about them such as:
Password Length
complexity (how many of the 4 character sets)
How many accounts might have the same password

Maybe Novell has a tool that will help me gather this information, but I
have not heard of anything.

I am wondering what other tools might I look to for help with this type of
thing.

Thanks for any  suggestions.....

Here is some recent information I found:
A 5 character (a-z, A-Z, 0-9,special) password can be cracked in less than
15.29 minutes
An 8 character (a-z, A-Z, 0-9) password can be cracked in less than 77.34
days.
An 8 character (a-z, A-Z, 0-9,special) password can be cracked in less
than 1.81 years.

I am somewhat in a dilema- sure passwords may be 5 characters but because
they lock for 15 minutes after incorrect tries the time to break is
increased dramatically. I still think that 8 is better and with upper and
numerics- But it is a tradeoff- need to consider other systems that don't
lock and consistency, along with increased calls to helpdesk....

Again any thoughts or suggestions are appreciated.



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Password statistics and standards samhenry (Oct 15)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
  - RE: Password statistics and standards Peter Marshall (Oct 16)
  - RE: Password statistics and standards dave kleiman (Oct 16)
    - Re: Password statistics and standards Dathan Bennett (Oct 17)
    - RE: Password statistics and standards John Lightfoot (Oct 18)
    - Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
    - RE: Password statistics and standards dave kleiman (Oct 19)
    - Re: Password statistics and standards Dathan Bennett (Oct 20)
    - RE: Password statistics and standards dave kleiman (Oct 20)
  - RE: Password statistics and standards Robert D. Holtz - Lists (Oct 16)

(Thread continues...)