RE: Password statistics and standards
- From: "dave kleiman" <dave@xxxxxxxxxxxxxxx>
- Date: Mon, 16 Oct 2006 15:21:31 -0400
If you shut off the storage of LM hashes, over 9 Characters will buy you
some time. (Rainbow tables are only up to 8 characters on NTLM.)
To be safe over 14 characters would be the best, should be safe for a while,
or at least until the tables catch up. (maybe a year or so)
Take a look at Perfect Passwords for some creative ideas:
http://www.syngress.com/catalog/?pid=3420
Dave
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Frynge
Customer Support
Sent: Monday, October 16, 2006 00:19
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Password statistics and standards
Im just curious... do you have the statistics for:
A 6 character (a-z, A-Z, 0-9,special) password can be
cracked in less than
and
A 7 character (a-z, A-Z, 0-9,special) password can be
cracked in less than
My server is set to 6 and was thinking of setting it higher.
8 seems to be a minimal barrier and I thought it would take
much longer to crack them, which is why I am now concerned
about 6 and 7.
Kelly Sigethy
http://www.frynge.com
----- Original Message -----
From: <samhenry@xxxxxxxxx>
To: <security-basics@xxxxxxxxxxxxxxxxx>
Sent: Friday, October 13, 2006 9:02 PM
Subject: Password statistics and standards
Hi group.....
I am new and this is my first post.
In a Novell environment NDS/Edir I utilize a tool called
DSRazor to pull
information about accounts which is helpful in telling me
how accounts are
configured-- Tells me password length settings, and if Null
passwords are
allowed for every account.
What I really want to obtain is information on how complex
my users actual
passwords are. Sure the majority of accounts are configured for 5
characters but how many actually are only 5 characters...
Obviously I DON'T want to see the passwords if that can be
acheived, but I
would like statistics about them such as:
Password Length
complexity (how many of the 4 character sets)
How many accounts might have the same password
Maybe Novell has a tool that will help me gather this
information, but I
have not heard of anything.
I am wondering what other tools might I look to for help
with this type of
thing.
Thanks for any suggestions.....
Here is some recent information I found:
A 5 character (a-z, A-Z, 0-9,special) password can be
cracked in less than
15.29 minutes
An 8 character (a-z, A-Z, 0-9) password can be cracked in
less than 77.34
days.
An 8 character (a-z, A-Z, 0-9,special) password can be
cracked in less
than 1.81 years.
I am somewhat in a dilema- sure passwords may be 5
characters but because
they lock for 15 minutes after incorrect tries the time to break is
increased dramatically. I still think that 8 is better and
with upper and
numerics- But it is a tradeoff- need to consider other
systems that don't
lock and consistency, along with increased calls to helpdesk....
Again any thoughts or suggestions are appreciated.
------------------------------------------------------------
---------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of
Academic Excellence
in Information Security. Our program offers unparalleled
Infosec management
education and the case study affords you unmatched
consulting experience.
Using interactive e-Learning technology, you can earn this
esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------
---------------
------------------------------------------------------------
---------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of
Academic Excellence
in Information Security. Our program offers unparalleled
Infosec management
education and the case study affords you unmatched
consulting experience.
Using interactive e-Learning technology, you can earn this
esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------
---------------
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- Follow-Ups:
- Re: Password statistics and standards
- From: Dathan Bennett
- Re: Password statistics and standards
- References:
- Re: Password statistics and standards
- From: Frynge Customer Support
- Re: Password statistics and standards
- Prev by Date: SF new interview announcement: ModSecurity 2.0 with Ivan Ristic
- Next by Date: RE: Password statistics and standards
- Previous by thread: RE: Password statistics and standards
- Next by thread: Re: Password statistics and standards
- Index(es):
Relevant Pages
|
|
