mailing list archives
Cracking good times
From: bioradmeister at gmail.com (Dan Stadelman)
Date: Tue, 30 Jun 2009 11:44:42 -0600
It is really hard to answer this one because it really "all depends"
on a lot of things - mainly how long it would take to test one
password. This can vary with system set up - if the user has access
to the password hashes, etc.
If you are trying to make up some stats you could do something like
this (I assume you know this):
26 + 26 + 10 + 10 = 72 characters
arranged 20 ways
20^72 * time to crack one password == a lot of time
arranged 15 ways
15^72 * time to crack one password == a bit less time
This is assuming there isn't some short cut to figuring out the
password - like it is on a sticky note on someones monitor (which
probably will happen if you are having such long passwords that are
On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<reswob10 at gmail.com> wrote:
Does anyone know a good reference for listing password cracking times?? I'm
trying to find some stats to determine if we should pick a 20+ character
password for service accounts and only change every 6 or 12 months or pick a
shorter password length (10-12 characters) and change every 90 days or so.
All passwords would be using all four character sets (Aa1!).
Craig L. Bowser
CISSP?????? SANS GSEC (Gold)
Nothing makes a person more productive than the last minute. - Contributed
by Jeff Pappas
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com