Re: Secure Password Policy?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's been a little while since I looked at windows pw settings, but if I
remember correctly, in the past windows would segment the password every
7 characters so brute forcing an 8 character pw was only a 7 char brute
force then a separate 1 char. Am I remembering this wrong? Is it
different in XP?

dmz

Neil wrote:

>On 1/19/2006 3:41 PM, Sulaiman, Wilmar wrote:
>
>
>>Dear all,
>>
>>I noticed that "best practice" for Minimum password length policy is
>>either 6 or 8 characters. I guess SANS institute considered a weak
>>password if it is less than 8 characters.
>>
>>I would like to know where they derived the number (6 and 8 characters).
>>Is there any documentation to backup it up why the best practice for
>>minimum password length is set to 6?
>>
>>
>>
>
>Well, the amount of time it takes to brute force a password goes up
>exponentially with every additional digit.
>
>Suppose we are using alphanumeric passwords, which would give us a
>possible 36 characters for each digit of the password. (Alphanumeric is
>what is often touted to normal users in security lectures in my experience.)
>
>Let us also suppose that we can attempt 1000 passwords a second (a
>number which has no basis in fact, but is nice and round).
>
>Thus:
>possible number of passwords = possible number of characters ^ number of
>characters in password.
>and:
>time to crack = number of passwords / number of attempts per second
>
>361 = 36/1000 = 0.036 seconds (which is faster than you can blink)
>362 = 1296/1000 = 1.296 seconds
>363 = 46656/1000 = 46.656 seconds
>364 = 1679616/1000 = 1679.616 seconds (27 minutes)
>365 = 60466176/1000 = 60466.176 seconds (16 hours)
>366 = 2176782336/1000 = 2176782.336 seconds (25 days)
>
>So as you can see, the amount of time really spikes up by adding the
>number of digits in your password.
>
>Mind you, password crackers today are many times faster than the example
>I did above. So, using a real numbers, security advisories have decided
>that at 8 characters, it will take someone quite some time to crack the
>password. (And I just don't recommend 6 characters, too trivial in
>today's day and age.)
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2424)

iQA/AwUBQ9EZ9pcwFRNrWbm9EQLIpQCePukrc8Arz0F0FynBdeoTXSIwOhsAn2A7
BfCPN1sE9hsxVDGXN9hUJSdV
=spuc
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------