RE: Password statistics and standards

["Laundrup, Jens" <Jens.Laundrup () METROKC GOV>]

The statistics you have on how long it takes to crack a password is
highly dependent upon what machine(s) you have access to, how effective
an algorithm you are using, if you are trying to crack the actual
password or if you have access to a rainbow table etc.  

What I have done here includes some assumptions that may or may not be
valid for your set up but I have tried to lay it out so that it is easy
to understand how I got there 

There are 96 different characters on a keyboard (26 upper case letters,
26 lower case letters, 10 numbers, 34 usable characters).  If each
position can have one of 96, then the number of attempts to crack a
password is the number of options per character (96 options) to the
power of the location.  Logically speaking, if you had a one digit
password, you would have to try 96 different characters to have
attempted them all.  If it was a two character password, then you would
have to attempt (96 x 96) or 96^2 (squared) times etc.  

Now, statistically speaking, there is a 50% chance you will guess the
password in the first half of the attempts so to allay any false sense
of security, divide the final probability by two.  

Assume that a good computer system can test 2 million passwords per
second.  

So 

6 digit                                    8 digit

96^6 = 782,757,789,696            96^8 =  7,213,895,789,838,336 
 Or 7.82 x 10^11                             or 7.2 x 10^15 


As you can see, the 8 digit password has approximately 10,000 times more
possibilities.  

(From now on I will use only the 8 digit password combination number).  

Given that, you can now divide this by 2 million passwords per second to
get the approximate number of attempts necessary try all possible
combinations

= 7,213,895,789,838,336 combinations/2,000,000 combinations per second 

= 3,606,947,894 seconds 

= 3,606,947,894 seconds/86,400 seconds per day

= 41,747 days

= 41,747 days/365.25 days per year

= 114 years

BUT, remember that you will statistically guess the password in the
first 50% of your attempts so the password will be broken using that
methodology in 57 years.  

Why this is misleading!

If you use a single computer, this would be good, but chances are that
the person trying to crack the password will use a cluster of computers
he/she has hijacked (a bot net).  Most botnets have over 1000 computers
in them so going back to the number of days (41,747) divide that by 1000
computers working on the problem at one time gives all solutions in 42
days but statistically speaking, the solution in 21 days. 

Start looking into pass phrases for high risk accounts such as
administrators etc.  

Examples:  

2dayWaz$unny@cleer        <today was sunny and clear

D3arb0ss,4ku&go#s@nd!      <Dear boss, fork you and go pound sand!

REMEMBER, these are guestimates based on a specific system, a specific
capability etc.  It needs to be adapted to fit your environment. 

Jens

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of samhenry () mnsam com
Sent: Friday, October 13, 2006 8:03 PM
To: security-basics () securityfocus com
Subject: Password statistics and standards

Hi group.....
I am new and this is my first post.

In a Novell environment NDS/Edir I utilize a tool called DSRazor to pull
information about accounts which is helpful in telling me how accounts
are
configured-- Tells me password length settings, and if Null passwords
are
allowed for every account.

What I really want to obtain is information on how complex my users
actual
passwords are. Sure the majority of accounts are configured for 5
characters but how many actually are only 5 characters...

Obviously I DON'T want to see the passwords if that can be acheived, but
I
would like statistics about them such as:
Password Length
complexity (how many of the 4 character sets)
How many accounts might have the same password

Maybe Novell has a tool that will help me gather this information, but I
have not heard of anything.

I am wondering what other tools might I look to for help with this type
of
thing.

Thanks for any  suggestions.....

Here is some recent information I found:
A 5 character (a-z, A-Z, 0-9,special) password can be cracked in less
than
15.29 minutes
An 8 character (a-z, A-Z, 0-9) password can be cracked in less than
77.34
days.
An 8 character (a-z, A-Z, 0-9,special) password can be cracked in less
than 1.81 years.

I am somewhat in a dilema- sure passwords may be 5 characters but
because
they lock for 15 minutes after incorrect tries the time to break is
increased dramatically. I still think that 8 is better and with upper
and
numerics- But it is a tradeoff- need to consider other systems that
don't
lock and consistency, along with increased calls to helpdesk....

Again any thoughts or suggestions are appreciated.



------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------