Calculating Password Policy Strength Vs. Cracking

snydeq writes "InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. The calculator includes results for four different password entropy models, and is based on length, character set, maximum age, whether complexity is enabled, and the number of guesses per minute an attacker can attempt. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break — not at all hard to accomplish, Grimes writes."

Is this a problem?

[khasim]

Most systems have a "three strikes and you're out for 5 minutes". So that kind of makes 65 guesses a minute impossible. You'd have 3 every 5 minutes.

The solution is not complexity. It is limiting the number of attempts and logging the process and having a HUMAN review the logs on a daily basis.

Yeah right

[Brian+Gordon]

With 8 characters you have to make on the order of 10^15 guesses. To go through all of those guesses in 90 days you have to try 783.9 million combinations per second.

Re:Yeah right

[Celeste+R]

How many of us use truly random passwords?

Consider the dictionary attack, combined with numbers, symbols and other words, and it's really not quite so random.

The focus should be on the account.

[khasim]

It doesn't matter where the 3 attempts come from. On the 3rd failure, the account is locked.

Yes, this does allow for DoS attacks. So what? It's better to have the legitimate owner locked out so that he can call to find out why than it is to have his account cracked.

Re:The focus should be on the account.

[mysidia]

What happens when a bot comes out whose sole purpose is to discover all usernames on a system (including the admin users), via dictionary attack, common variations, and lock them all out, by making exactly 3 attempts per account?

i.e. Hackers whose goal in life is to disrupt access to the system rather than to break in.

Missing part of his formula

[DoofusOfDeath]

Did he remember to model the fact that if you make your password requirements sufficiently rigorous....

(A) People will increase risk by having to write them down, or

(B) People will try to stop using your system, which is a different but related kind of failure?

Re:Frequency of change is irrelevant!

[legirons]

It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually.

With password changes, you get the password even quicker, because there are only a very small number of sequences that people can think-up once per month, compared with a larger number of unique passwords that they can think-up just once.

Re:Frequency of change is irrelevant!

[nabsltd]

Mod parent up as one of the few who understands how forced password changes are generally bad for security.

When asked, most system admins do not know what the single security issue that is addressed by forced password changes: limiting the amount of time a compromised password can do damage.

The problem is that any forced change time that is short enough to do any good with this (like 30 days) would cause users to always pick the most memorable (i.e., least secure) password that meets the requirements. Worse, it's more likely to cause every monitor in your office to have a password-laden sticky-note. If you have a 90-day change time (about the standard), that gives an average of 45 days that a compromised password can do damage, which is way too much.

Last, forced password changes are still almost certainly nothing but security theater, because once an account is compromised, it's easy to re-compromise it with a keylogger or similar background software.