Security Basics mailing list archives
RE: Password statistics and standards
From: "dave kleiman" <dave () davekleiman com>
Date: Mon, 16 Oct 2006 15:21:31 -0400
If you shut off the storage of LM hashes, over 9 Characters will buy you some time. (Rainbow tables are only up to 8 characters on NTLM.) To be safe over 14 characters would be the best, should be safe for a while, or at least until the tables catch up. (maybe a year or so) Take a look at Perfect Passwords for some creative ideas: http://www.syngress.com/catalog/?pid=3420 Dave -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Frynge Customer Support Sent: Monday, October 16, 2006 00:19 To: security-basics () securityfocus com Subject: Re: Password statistics and standards Im just curious... do you have the statistics for: A 6 character (a-z, A-Z, 0-9,special) password can be cracked in less than and A 7 character (a-z, A-Z, 0-9,special) password can be cracked in less than My server is set to 6 and was thinking of setting it higher. 8 seems to be a minimal barrier and I thought it would take much longer to crack them, which is why I am now concerned about 6 and 7. Kelly Sigethy http://www.frynge.com ----- Original Message ----- From: <samhenry () mnsam com> To: <security-basics () securityfocus com> Sent: Friday, October 13, 2006 9:02 PM Subject: Password statistics and standards Hi group..... I am new and this is my first post. In a Novell environment NDS/Edir I utilize a tool called DSRazor to pull information about accounts which is helpful in telling me how accounts are configured-- Tells me password length settings, and if Null passwords are allowed for every account. What I really want to obtain is information on how complex my users actual passwords are. Sure the majority of accounts are configured for 5 characters but how many actually are only 5 characters... Obviously I DON'T want to see the passwords if that can be acheived, but I would like statistics about them such as: Password Length complexity (how many of the 4 character sets) How many accounts might have the same password Maybe Novell has a tool that will help me gather this information, but I have not heard of anything. I am wondering what other tools might I look to for help with this type of thing. Thanks for any suggestions..... Here is some recent information I found: A 5 character (a-z, A-Z, 0-9,special) password can be cracked in less than 15.29 minutes An 8 character (a-z, A-Z, 0-9) password can be cracked in less than 77.34 days. An 8 character (a-z, A-Z, 0-9,special) password can be cracked in less than 1.81 years. I am somewhat in a dilema- sure passwords may be 5 characters but because they lock for 15 minutes after incorrect tries the time to break is increased dramatically. I still think that 8 is better and with upper and numerics- But it is a tradeoff- need to consider other systems that don't lock and consistency, along with increased calls to helpdesk.... Again any thoughts or suggestions are appreciated. ------------------------------------------------------------ --------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------ --------------- ------------------------------------------------------------ --------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------ --------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Password statistics and standards samhenry (Oct 15)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Password statistics and standards Peter Marshall (Oct 16)
- RE: Password statistics and standards dave kleiman (Oct 16)
- Re: Password statistics and standards Dathan Bennett (Oct 17)
- RE: Password statistics and standards John Lightfoot (Oct 18)
- Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
- RE: Password statistics and standards dave kleiman (Oct 19)
- Re: Password statistics and standards Dathan Bennett (Oct 20)
- RE: Password statistics and standards dave kleiman (Oct 20)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)