Re: Password complexity vs Brute Force

From: Jason Brown [MSFT] (
Date: 04/15/05

Date: Fri, 15 Apr 2005 12:22:18 +1000

Well, you may not be running a banking installation, but you should still
consider the actual level of damage someone could do if they breached your
passwords. For a small organisation, a relatively small amount of damage can
be significant. A big corporate could shrug off a $100,000 problem. could
your soccer club? (admittedly as far as I know, you could the the network
admin for Manchester United, in which case scale up!)

If you consider the cost of having more secure passwords (relatively low)
against the risks of leaving them as they are (relatively high, if you can
brute-force them in 2hrs), well, I know what I'd be doing.

Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"Joel Cote" <> wrote in message
> Hi!
> Considering password policies that requires some complexity and all, I 
> have
> run a brute force attack on my my server.
> It found that password in 2h7mins. Is that too low as a measure 
> considering
> I monitor everything, having alerts on my emails and cell phones set up?
> Should I try to reach a higher level?
> There is no critical personal data on the server which can get me into
> trouble, I am the network manager for a soccer club, not a bank ;)
> What's your opinion on that?
> Thanks!