Cracking good times

[bioradmeister at gmail.com (Dan Stadelman)]

It is really hard to answer this one because it really "all depends"
on a lot of things - mainly how long it would take to test one
password.  This can vary with system set up - if the user has access
to the password hashes, etc.

If you are trying to make up some stats you could do something like
this (I assume you know this):

26 + 26 + 10 + 10 = 72 characters

arranged 20 ways

20^72 * time to crack one password == a lot of time

arranged 15 ways

15^72 * time to crack one password == a bit less time

This is assuming there isn't some short cut to figuring out the
password - like it is on a sticky note on someones monitor (which
probably will happen if you are having such long passwords that are
changing frequently).

Laters,

Dan




On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<reswob10 at gmail.com> wrote:
> Does anyone know a good reference for listing password cracking times?? I'm
> trying to find some stats to determine if we should pick a 20+ character
> password for service accounts and only change every 6 or 12 months or pick a
> shorter password length (10-12 characters) and change every 90 days or so.
> All passwords would be using all four character sets (Aa1!).
>
>
>
> Thanks.
>
>
>
>
>
> Craig L. Bowser
>
> CISSP?????? SANS GSEC (Gold)
>
> -------------------------------
>
> Nothing makes a person more productive than the last minute. - Contributed
> by Jeff Pappas
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com