Re: Password statistics and standards

[Dathan Bennett <dathan () shsu edu>]

Here are some rough estimates given by Cain running on my 2.0Ghz laptop 
(bear in mind that this is a Pentium M (single core), and not that 
powerful a machine, so these estimates should be considered a lower bound.

Character set: 
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;'"<>,.?/
(that's 94 characters)

5 char pw: < 30 minutes
6 char pw: <2 days
7 char pw: <180 days
8 char pw: ~ 46 years

But, I have two blade centers in the back each with 10 dual-proc 3.4 Ghz 
Xeons.  So, to get a rough estimate of their ability, divide my results 
by 1.75 to adjust for the speed of each processor, and then divide by 40 
to account for paralellization, and we get:

5 char pw: ~ 25 sec.
6 char pw: ~41 min.
7 char pw: ~2.5 days
8 char pw: ~240 days

This is for a password hashed using MD5, with the hash known.  Of course 
if you have to authenticate against a server with reasonable security 
policies in place, practically any password that isn't a dictionary word 
or a proper noun will work, because instead of being able to try however 
many billion plaintexts per second, you'll be able to try three, then 
have to wait a few minutes, then rinse and repeat.

Now, I don't know anything about the Novell password hashing scheme.  If 
it uses a salt, then these numbers are way off.  Multiply them all by 
the size of the salt to get more realistic numbers.  Also, it might use 
something like crypt(), which is intended to be slow as a mechanism for 
defeating brute-force attacks.


Frynge Customer Support wrote:
> Im just curious... do you have the statistics for:
>
> A 6 character (a-z, A-Z, 0-9,special) password can be cracked in less 
> than
>
> and
> A 7 character (a-z, A-Z, 0-9,special) password can be cracked in less 
> than
>
> My server is set to 6 and was thinking of setting it higher.
>
> 8 seems to be a minimal barrier and I thought it would take much 
> longer to
> crack them, which is why I am now concerned about 6 and 7.
>
> Kelly Sigethy
> http://www.frynge.com
>
> ----- Original Message ----- From: <samhenry () mnsam com>
> To: <security-basics () securityfocus com>
> Sent: Friday, October 13, 2006 9:02 PM
> Subject: Password statistics and standards
>
>
> Hi group.....
> I am new and this is my first post.
>
> In a Novell environment NDS/Edir I utilize a tool called DSRazor to pull
> information about accounts which is helpful in telling me how accounts 
> are
> configured-- Tells me password length settings, and if Null passwords are
> allowed for every account.
>
> What I really want to obtain is information on how complex my users 
> actual
> passwords are. Sure the majority of accounts are configured for 5
> characters but how many actually are only 5 characters...
>
> Obviously I DON'T want to see the passwords if that can be acheived, 
> but I
> would like statistics about them such as:
> Password Length
> complexity (how many of the 4 character sets)
> How many accounts might have the same password
>
> Maybe Novell has a tool that will help me gather this information, but I
> have not heard of anything.
>
> I am wondering what other tools might I look to for help with this 
> type of
> thing.
>
> Thanks for any  suggestions.....
>
> Here is some recent information I found:
> A 5 character (a-z, A-Z, 0-9,special) password can be cracked in less 
> than
> 15.29 minutes
> An 8 character (a-z, A-Z, 0-9) password can be cracked in less than 77.34
> days.
> An 8 character (a-z, A-Z, 0-9,special) password can be cracked in less
> than 1.81 years.
>
> I am somewhat in a dilema- sure passwords may be 5 characters but because
> they lock for 15 minutes after incorrect tries the time to break is
> increased dramatically. I still think that 8 is better and with upper and
> numerics- But it is a tradeoff- need to consider other systems that don't
> lock and consistency, along with increased calls to helpdesk....
>
> Again any thoughts or suggestions are appreciated.


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------