RE: Password statistics and standards

["Robert D. Holtz - Lists" <robert.d.holtz () gmail com>]

Any times for cracking passwords due to length are wildly subjective, at
best.  There are far too many variable at play to even attempt an objective
statement such as: "a six character password takes 6 days to crack where an
8 character password takes 8 days." 

Usually, you're going to lock out an account after n tries so there's no
accurate way to really measure this type of thing.

Keep in mind that the longer, and more complex, that you make passwords just
increases the chance that they are written down somewhere.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Frynge Customer Support
Sent: Sunday, October 15, 2006 11:19 PM
To: security-basics () securityfocus com
Subject: Re: Password statistics and standards

Im just curious... do you have the statistics for:

A 6 character (a-z, A-Z, 0-9,special) password can be cracked in less than

and
A 7 character (a-z, A-Z, 0-9,special) password can be cracked in less than

My server is set to 6 and was thinking of setting it higher.

8 seems to be a minimal barrier and I thought it would take much longer to
crack them, which is why I am now concerned about 6 and 7.

Kelly Sigethy
http://www.frynge.com

----- Original Message ----- 
From: <samhenry () mnsam com>
To: <security-basics () securityfocus com>
Sent: Friday, October 13, 2006 9:02 PM
Subject: Password statistics and standards


Hi group.....
I am new and this is my first post.

In a Novell environment NDS/Edir I utilize a tool called DSRazor to pull
information about accounts which is helpful in telling me how accounts are
configured-- Tells me password length settings, and if Null passwords are
allowed for every account.

What I really want to obtain is information on how complex my users actual
passwords are. Sure the majority of accounts are configured for 5
characters but how many actually are only 5 characters...

Obviously I DON'T want to see the passwords if that can be acheived, but I
would like statistics about them such as:
Password Length
complexity (how many of the 4 character sets)
How many accounts might have the same password

Maybe Novell has a tool that will help me gather this information, but I
have not heard of anything.

I am wondering what other tools might I look to for help with this type of
thing.

Thanks for any  suggestions.....

Here is some recent information I found:
A 5 character (a-z, A-Z, 0-9,special) password can be cracked in less than
15.29 minutes
An 8 character (a-z, A-Z, 0-9) password can be cracked in less than 77.34
days.
An 8 character (a-z, A-Z, 0-9,special) password can be cracked in less
than 1.81 years.

I am somewhat in a dilema- sure passwords may be 5 characters but because
they lock for 15 minutes after incorrect tries the time to break is
increased dramatically. I still think that 8 is better and with upper and
numerics- But it is a tradeoff- need to consider other systems that don't
lock and consistency, along with increased calls to helpdesk....

Again any thoughts or suggestions are appreciated.



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------