Security Basics mailing list archives
RE: Password statistics and standards
From: "Robert D. Holtz - Lists" <robert.d.holtz () gmail com>
Date: Mon, 16 Oct 2006 13:45:31 -0500
Any times for cracking passwords due to length are wildly subjective, at best. There are far too many variable at play to even attempt an objective statement such as: "a six character password takes 6 days to crack where an 8 character password takes 8 days." Usually, you're going to lock out an account after n tries so there's no accurate way to really measure this type of thing. Keep in mind that the longer, and more complex, that you make passwords just increases the chance that they are written down somewhere. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Frynge Customer Support Sent: Sunday, October 15, 2006 11:19 PM To: security-basics () securityfocus com Subject: Re: Password statistics and standards Im just curious... do you have the statistics for: A 6 character (a-z, A-Z, 0-9,special) password can be cracked in less than and A 7 character (a-z, A-Z, 0-9,special) password can be cracked in less than My server is set to 6 and was thinking of setting it higher. 8 seems to be a minimal barrier and I thought it would take much longer to crack them, which is why I am now concerned about 6 and 7. Kelly Sigethy http://www.frynge.com ----- Original Message ----- From: <samhenry () mnsam com> To: <security-basics () securityfocus com> Sent: Friday, October 13, 2006 9:02 PM Subject: Password statistics and standards Hi group..... I am new and this is my first post. In a Novell environment NDS/Edir I utilize a tool called DSRazor to pull information about accounts which is helpful in telling me how accounts are configured-- Tells me password length settings, and if Null passwords are allowed for every account. What I really want to obtain is information on how complex my users actual passwords are. Sure the majority of accounts are configured for 5 characters but how many actually are only 5 characters... Obviously I DON'T want to see the passwords if that can be acheived, but I would like statistics about them such as: Password Length complexity (how many of the 4 character sets) How many accounts might have the same password Maybe Novell has a tool that will help me gather this information, but I have not heard of anything. I am wondering what other tools might I look to for help with this type of thing. Thanks for any suggestions..... Here is some recent information I found: A 5 character (a-z, A-Z, 0-9,special) password can be cracked in less than 15.29 minutes An 8 character (a-z, A-Z, 0-9) password can be cracked in less than 77.34 days. An 8 character (a-z, A-Z, 0-9,special) password can be cracked in less than 1.81 years. I am somewhat in a dilema- sure passwords may be 5 characters but because they lock for 15 minutes after incorrect tries the time to break is increased dramatically. I still think that 8 is better and with upper and numerics- But it is a tradeoff- need to consider other systems that don't lock and consistency, along with increased calls to helpdesk.... Again any thoughts or suggestions are appreciated. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Password statistics and standards samhenry (Oct 15)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Password statistics and standards Peter Marshall (Oct 16)
- RE: Password statistics and standards dave kleiman (Oct 16)
- Re: Password statistics and standards Dathan Bennett (Oct 17)
- RE: Password statistics and standards John Lightfoot (Oct 18)
- Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
- RE: Password statistics and standards dave kleiman (Oct 19)
- Re: Password statistics and standards Dathan Bennett (Oct 20)
- RE: Password statistics and standards dave kleiman (Oct 20)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Changing the domain password policy Roger A. Grimes (Oct 17)
- RE: Changing the domain password policy Murda Mcloud (Oct 17)
- RE: Changing the domain password policy Duncan McAlynn (Oct 17)
- <Possible follow-ups>
- Re: Password statistics and standards samhenry (Oct 16)
- RE: Password statistics and standards Laundrup, Jens (Oct 17)