Re: Password entropy

[Alan Amesbury <amesbury () OITSEC UMN EDU>]

Roger Safian wrote:

> BTW - you can download
> Passphrase_Length_and_Complexity_Considerations.xls
> from <http://www.shiloh.k12.il.us/tech/feast2006/Scripting/JasonFossenScripts/Day6--Scripting/>
>
> If the sheet is incorrect, I'd like to know.

Attached is a spreadsheet (MSexcel, sorry) I put together for a manager
a number of years ago.  It's limited to eight character passwords
(produced with the original Unix crypt() in mind), but possibly useful.
 Anyway, you can change the lighter colored cells.  It's **VERY** rough,
but it was useful enough to get my point across when I needed it.  I
keep intending to put together a more polished version that can handle
longer password lengths, but--well, lately I've been spending all my
free time reading this thread.  ;-)

For an additional informal analysis of password strengths, see

        http://www1.umn.edu/oit/security/passwordattackdiscussion.html


I've included a couple of system benchmarks useful for the "rate of
testing" cell in the attached spreadsheet.  Note that this can also be
used to help gauge the effectiveness of a brute-force SSH attack (which
is another form of brute-force password attack, albeit one with a really
slow password/second rate).


--
Alan Amesbury
University of Minnesota

Attachment: password_cracking_worksheet.xls
Description: