Security Basics mailing list archives
Re: Password statistics and standards
From: Dathan Bennett <dathan () shsu edu>
Date: Mon, 16 Oct 2006 14:38:04 -0500
Here are some rough estimates given by Cain running on my 2.0Ghz laptop (bear in mind that this is a Pentium M (single core), and not that powerful a machine, so these estimates should be considered a lower bound.
Character set: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;'"<>,.?/
(that's 94 characters) 5 char pw: < 30 minutes 6 char pw: <2 days 7 char pw: <180 days 8 char pw: ~ 46 yearsBut, I have two blade centers in the back each with 10 dual-proc 3.4 Ghz Xeons. So, to get a rough estimate of their ability, divide my results by 1.75 to adjust for the speed of each processor, and then divide by 40 to account for paralellization, and we get:
5 char pw: ~ 25 sec. 6 char pw: ~41 min. 7 char pw: ~2.5 days 8 char pw: ~240 daysThis is for a password hashed using MD5, with the hash known. Of course if you have to authenticate against a server with reasonable security policies in place, practically any password that isn't a dictionary word or a proper noun will work, because instead of being able to try however many billion plaintexts per second, you'll be able to try three, then have to wait a few minutes, then rinse and repeat.
Now, I don't know anything about the Novell password hashing scheme. If it uses a salt, then these numbers are way off. Multiply them all by the size of the salt to get more realistic numbers. Also, it might use something like crypt(), which is intended to be slow as a mechanism for defeating brute-force attacks.
Frynge Customer Support wrote:
Im just curious... do you have the statistics for:A 6 character (a-z, A-Z, 0-9,special) password can be cracked in less thanandA 7 character (a-z, A-Z, 0-9,special) password can be cracked in less thanMy server is set to 6 and was thinking of setting it higher.8 seems to be a minimal barrier and I thought it would take much longer tocrack them, which is why I am now concerned about 6 and 7. Kelly Sigethy http://www.frynge.com ----- Original Message ----- From: <samhenry () mnsam com> To: <security-basics () securityfocus com> Sent: Friday, October 13, 2006 9:02 PM Subject: Password statistics and standards Hi group..... I am new and this is my first post. In a Novell environment NDS/Edir I utilize a tool called DSRazor to pullinformation about accounts which is helpful in telling me how accounts areconfigured-- Tells me password length settings, and if Null passwords are allowed for every account.What I really want to obtain is information on how complex my users actualpasswords are. Sure the majority of accounts are configured for 5 characters but how many actually are only 5 characters...Obviously I DON'T want to see the passwords if that can be acheived, but Iwould like statistics about them such as: Password Length complexity (how many of the 4 character sets) How many accounts might have the same password Maybe Novell has a tool that will help me gather this information, but I have not heard of anything.I am wondering what other tools might I look to for help with this type ofthing. Thanks for any suggestions..... Here is some recent information I found:A 5 character (a-z, A-Z, 0-9,special) password can be cracked in less than15.29 minutes An 8 character (a-z, A-Z, 0-9) password can be cracked in less than 77.34 days. An 8 character (a-z, A-Z, 0-9,special) password can be cracked in less than 1.81 years. I am somewhat in a dilema- sure passwords may be 5 characters but because they lock for 15 minutes after incorrect tries the time to break is increased dramatically. I still think that 8 is better and with upper and numerics- But it is a tradeoff- need to consider other systems that don't lock and consistency, along with increased calls to helpdesk.... Again any thoughts or suggestions are appreciated.
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Password statistics and standards, (continued)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Password statistics and standards Peter Marshall (Oct 16)
- RE: Password statistics and standards dave kleiman (Oct 16)
- Re: Password statistics and standards Dathan Bennett (Oct 17)
- RE: Password statistics and standards John Lightfoot (Oct 18)
- Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
- RE: Password statistics and standards dave kleiman (Oct 19)
- Re: Password statistics and standards Dathan Bennett (Oct 20)
- RE: Password statistics and standards dave kleiman (Oct 20)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Changing the domain password policy Roger A. Grimes (Oct 17)
- RE: Changing the domain password policy Murda Mcloud (Oct 17)
- RE: Changing the domain password policy Duncan McAlynn (Oct 17)