Calculating Password Policy Strength Vs. Cracking

snydeq writes "InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. The calculator includes results for four different password entropy models, and is based on length, character set, maximum age, whether complexity is enabled, and the number of guesses per minute an attacker can attempt. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break — not at all hard to accomplish, Grimes writes."

The Myth Of Strong Passwords

[gilgongo]

While Roger Grimes's intentions are good, in making that spreadsheet he's just wasted a lot of effort that he could have spent drinking beer and kissing women.

Firstly, any analysis of real-world passwords in use in, er, the real world, will scream that they are far too weak. That is not news. At all.

Secondly (and this is the hard part for geeks to understand, so: l i s t e n - the strength of a password decreases the greater its theoretical strength becomes. Yes, that's DECREASES.

Why? Because if my password has more than a couple of numbers and some upper/lower case letters in, I will write it on a sticky note and attach it to my monitor - sometimes with the words "password to payroll system" or whatever also written on it.

That is reality. Now, can we all stop this nerdy crap about password strength and do the real work of thinking about the human factors involved in security? That, I am afraid, is where the hard work is. Any idiot can make a spreadsheet.