Home page logo

pauldotcom logo PaulDotCom mailing list archives

Cracking good times
From: bioradmeister at gmail.com (Dan Stadelman)
Date: Tue, 30 Jun 2009 11:44:42 -0600

It is really hard to answer this one because it really "all depends"
on a lot of things - mainly how long it would take to test one
password.  This can vary with system set up - if the user has access
to the password hashes, etc.

If you are trying to make up some stats you could do something like
this (I assume you know this):

26 + 26 + 10 + 10 = 72 characters

arranged 20 ways

20^72 * time to crack one password == a lot of time

arranged 15 ways

15^72 * time to crack one password == a bit less time

This is assuming there isn't some short cut to figuring out the
password - like it is on a sticky note on someones monitor (which
probably will happen if you are having such long passwords that are
changing frequently).



On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<reswob10 at gmail.com> wrote:

Does anyone know a good reference for listing password cracking times?? I'm
trying to find some stats to determine if we should pick a 20+ character
password for service accounts and only change every 6 or 12 months or pick a
shorter password length (10-12 characters) and change every 90 days or so.
All passwords would be using all four character sets (Aa1!).


Craig L. Bowser

CISSP?????? SANS GSEC (Gold)


Nothing makes a person more productive than the last minute. - Contributed
by Jeff Pappas

Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]