Calculating Password Policy Strength Vs. Cracking

snydeq writes "InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. The calculator includes results for four different password entropy models, and is based on length, character set, maximum age, whether complexity is enabled, and the number of guesses per minute an attacker can attempt. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break — not at all hard to accomplish, Grimes writes."

Missing part of his formula

[DoofusOfDeath]

Did he remember to model the fact that if you make your password requirements sufficiently rigorous....

(A) People will increase risk by having to write them down, or

(B) People will try to stop using your system, which is a different but related kind of failure?

Re:The focus should be on the account.

[mysidia]

What happens when a bot comes out whose sole purpose is to discover all usernames on a system (including the admin users), via dictionary attack, common variations, and lock them all out, by making exactly 3 attempts per account?

i.e. Hackers whose goal in life is to disrupt access to the system rather than to break in.