Security Basics mailing list archives
RE: Password statistics and standards
From: "Laundrup, Jens" <Jens.Laundrup () METROKC GOV>
Date: Mon, 16 Oct 2006 14:29:43 -0700
The statistics you have on how long it takes to crack a password is highly dependent upon what machine(s) you have access to, how effective an algorithm you are using, if you are trying to crack the actual password or if you have access to a rainbow table etc. What I have done here includes some assumptions that may or may not be valid for your set up but I have tried to lay it out so that it is easy to understand how I got there There are 96 different characters on a keyboard (26 upper case letters, 26 lower case letters, 10 numbers, 34 usable characters). If each position can have one of 96, then the number of attempts to crack a password is the number of options per character (96 options) to the power of the location. Logically speaking, if you had a one digit password, you would have to try 96 different characters to have attempted them all. If it was a two character password, then you would have to attempt (96 x 96) or 96^2 (squared) times etc. Now, statistically speaking, there is a 50% chance you will guess the password in the first half of the attempts so to allay any false sense of security, divide the final probability by two. Assume that a good computer system can test 2 million passwords per second. So 6 digit 8 digit 96^6 = 782,757,789,696 96^8 = 7,213,895,789,838,336 Or 7.82 x 10^11 or 7.2 x 10^15 As you can see, the 8 digit password has approximately 10,000 times more possibilities. (From now on I will use only the 8 digit password combination number). Given that, you can now divide this by 2 million passwords per second to get the approximate number of attempts necessary try all possible combinations = 7,213,895,789,838,336 combinations/2,000,000 combinations per second = 3,606,947,894 seconds = 3,606,947,894 seconds/86,400 seconds per day = 41,747 days = 41,747 days/365.25 days per year = 114 years BUT, remember that you will statistically guess the password in the first 50% of your attempts so the password will be broken using that methodology in 57 years. Why this is misleading! If you use a single computer, this would be good, but chances are that the person trying to crack the password will use a cluster of computers he/she has hijacked (a bot net). Most botnets have over 1000 computers in them so going back to the number of days (41,747) divide that by 1000 computers working on the problem at one time gives all solutions in 42 days but statistically speaking, the solution in 21 days. Start looking into pass phrases for high risk accounts such as administrators etc. Examples: 2dayWaz$unny@cleer <today was sunny and clear D3arb0ss,4ku&go#s@nd! <Dear boss, fork you and go pound sand! REMEMBER, these are guestimates based on a specific system, a specific capability etc. It needs to be adapted to fit your environment. Jens -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of samhenry () mnsam com Sent: Friday, October 13, 2006 8:03 PM To: security-basics () securityfocus com Subject: Password statistics and standards Hi group..... I am new and this is my first post. In a Novell environment NDS/Edir I utilize a tool called DSRazor to pull information about accounts which is helpful in telling me how accounts are configured-- Tells me password length settings, and if Null passwords are allowed for every account. What I really want to obtain is information on how complex my users actual passwords are. Sure the majority of accounts are configured for 5 characters but how many actually are only 5 characters... Obviously I DON'T want to see the passwords if that can be acheived, but I would like statistics about them such as: Password Length complexity (how many of the 4 character sets) How many accounts might have the same password Maybe Novell has a tool that will help me gather this information, but I have not heard of anything. I am wondering what other tools might I look to for help with this type of thing. Thanks for any suggestions..... Here is some recent information I found: A 5 character (a-z, A-Z, 0-9,special) password can be cracked in less than 15.29 minutes An 8 character (a-z, A-Z, 0-9) password can be cracked in less than 77.34 days. An 8 character (a-z, A-Z, 0-9,special) password can be cracked in less than 1.81 years. I am somewhat in a dilema- sure passwords may be 5 characters but because they lock for 15 minutes after incorrect tries the time to break is increased dramatically. I still think that 8 is better and with upper and numerics- But it is a tradeoff- need to consider other systems that don't lock and consistency, along with increased calls to helpdesk.... Again any thoughts or suggestions are appreciated. ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Password statistics and standards, (continued)
- Re: Password statistics and standards Dathan Bennett (Oct 20)
- RE: Password statistics and standards dave kleiman (Oct 20)
- RE: Password statistics and standards Robert D. Holtz - Lists (Oct 16)
- Re: Password statistics and standards Dathan Bennett (Oct 16)
- Re: Password statistics and standards Fabio (Oct 16)
- Changing the domain password policy Gary Collis (Oct 16)
- RE: Changing the domain password policy Roger A. Grimes (Oct 17)
- RE: Changing the domain password policy Murda Mcloud (Oct 17)
- RE: Changing the domain password policy Duncan McAlynn (Oct 17)
- Re: Password statistics and standards samhenry (Oct 16)
- RE: Password statistics and standards Laundrup, Jens (Oct 17)