Password Policy
For the past few years my company has been using a password policy that I crafted based on reading various online tech articles. Our current policy is to require password changes every 4 months, to require an 8 character minimum and to require the standard Microsoft complexity (3 of the following 4: Capital letter, lowercase letter, number and alphanumeric).
The design of this policy will supposedly protect us against a brute force attack. Such an attack will allegedly take 4 months to run through every possible combination of characters in a complex password with a length of 8 characters.
I would like to increase the complexity of the password in exchange for an increased password age of 6 months. Every time a password cycle hits we have a rash of issues with users forgetting their new password, their mobile phones' email not working because of their cache needing to be cleared (battery removal trick) or some other password related issues.
The question is: what minimum password length would be required to maintain the same level of security at a 6 month maximum password age?
If the formula is a linear one, I would think it would be:
(8-characters) * (6-months) / (4-months) = 12 characters
But, I'm not confident in my simple assumptions.
:)
S.
The design of this policy will supposedly protect us against a brute force attack. Such an attack will allegedly take 4 months to run through every possible combination of characters in a complex password with a length of 8 characters.
I would like to increase the complexity of the password in exchange for an increased password age of 6 months. Every time a password cycle hits we have a rash of issues with users forgetting their new password, their mobile phones' email not working because of their cache needing to be cleared (battery removal trick) or some other password related issues.
The question is: what minimum password length would be required to maintain the same level of security at a 6 month maximum password age?
If the formula is a linear one, I would think it would be:
(8-characters) * (6-months) / (4-months) = 12 characters
But, I'm not confident in my simple assumptions.
:)
S.
"If the formula is a linear one,:"
The formula is not linear, it is much more favorable.
in one character you have 62 or so possible passwords, with 2 characters you have many many more than 124 possible combinations. (almost 4000)
A possible strategy would be to lock out password tries for say an hour after 10 or so bad tries.
The formula is not linear, it is much more favorable.
in one character you have 62 or so possible passwords, with 2 characters you have many many more than 124 possible combinations. (almost 4000)
A possible strategy would be to lock out password tries for say an hour after 10 or so bad tries.
Microsoft recommends 14 long at:
http://www.microsoft.com/security/online-privacy/passwords-create.aspx
The problem as I see it with long passwords or difficult passwords is that my users start writing them down and placing close to their computer.
Not sure any kind of formula will help.
We change ours every three months with the same criteria you use, but if you check that for strength at the above link it reports weak. LOL
Extending the length also increases tha possibility that someone else will discover their password somehow and internal is probably more of a problem than external theft of data/info.
http://www.microsoft.com/security/online-privacy/passwords-create.aspx
The problem as I see it with long passwords or difficult passwords is that my users start writing them down and placing close to their computer.
Not sure any kind of formula will help.
We change ours every three months with the same criteria you use, but if you check that for strength at the above link it reports weak. LOL
Extending the length also increases tha possibility that someone else will discover their password somehow and internal is probably more of a problem than external theft of data/info.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you have a account lockout policy? If you have a 3-attempt lockout for 5-15 minutes, any recommended age you would like.
Thanks.
mug
Thanks.
mug
ASKER
Tommy, thanks for the input. I'll just wait for a few other responses before making any final decision.
I DID want to ask one more question, that would be more addressed to those experts that are familiar with Microsoft's Active Directory (in our Windows 2033 SBS environment).
If and when I make a password policy change, how does it immediately impact users, so I can let them know what to expect. That is, will they be required to immediately change their password, or change it upon next login, or will they only be required to change it when their current password expires?
I DID want to ask one more question, that would be more addressed to those experts that are familiar with Microsoft's Active Directory (in our Windows 2033 SBS environment).
If and when I make a password policy change, how does it immediately impact users, so I can let them know what to expect. That is, will they be required to immediately change their password, or change it upon next login, or will they only be required to change it when their current password expires?
ASKER
"Windows 2003" not "2033". Couldn't find an EDIT button (should have proof read).
S.
S.
You can click a button to immediately expire everyone's passwords. Otherwise it will implement the change the next time they change their passwords.
A possible strategy would be to lock out password tries for say an hour after 10 or so bad tries.
This doesn't stop brute force attacks since they are usually done by grabbing the SAM file and running the attacks on that on their own computers. Otherwise they could only try a few passwords per second and a 4 character password would be secure.
This doesn't stop brute force attacks since they are usually done by grabbing the SAM file and running the attacks on that on their own computers. Otherwise they could only try a few passwords per second and a 4 character password would be secure.
ASKER
As an aside, I found this claim on a hacker site's message board. It's part of a post titled "Cracking the SAM File" and has some interesting references to machine and program capabilities:
"Most of these programs test about 4 to 5 million passwords per second, at least on my machine, so if the password if below 7 characters, it should be able to crack it in one day. However, if the password is 7 or more characters in length, then it will take a substantial amount of time. When I did this, my password was 7 characters in length and it took my computer just over 3 days to crack it."
It would be interesting to use the (7 characters = 3 days) benchmark and reapply the math.
I would assume it would be:
8 characters = 3 days * 62 = 186 days (26 weeks or 6 months)
"Most of these programs test about 4 to 5 million passwords per second, at least on my machine, so if the password if below 7 characters, it should be able to crack it in one day. However, if the password is 7 or more characters in length, then it will take a substantial amount of time. When I did this, my password was 7 characters in length and it took my computer just over 3 days to crack it."
It would be interesting to use the (7 characters = 3 days) benchmark and reapply the math.
I would assume it would be:
8 characters = 3 days * 62 = 186 days (26 weeks or 6 months)
I accidentally flipped my formula and wrote 8^62 instead of 62^8 like it should have been.
The 4 month figure assumes only 21 million per second which is doable. So that makes more sense.
The multiplying by 62 for each added character was correct so all of that is still right.
7 characters in three days (if you assume the same set of 62) means 13.6 million per second.
The 4 month figure assumes only 21 million per second which is doable. So that makes more sense.
The multiplying by 62 for each added character was correct so all of that is still right.
7 characters in three days (if you assume the same set of 62) means 13.6 million per second.
If you use his 5,000,000 per second number and only upper and lower case then you could crack it in 2 days and 9 hours (which may be where he got his 3 day number from)
The formula is just chars^length and then you divide that by however many you can do per second or per day or whatever.
I would assume it would be: 8 characters = 3 days * 62 = 186 days (26 weeks or 6 months)
Absolutely. That is correct.
So even with a supercomputer the 14 char suggestion by MS would currently be basically impossible to crack using brute force methods. You would need to try over 393,257,529,003,600,000 passwords per second to crack it within a year. So maybe with one million teraflop computers all going at it at the same time, you could get it in a year.
I would assume it would be: 8 characters = 3 days * 62 = 186 days (26 weeks or 6 months)
Absolutely. That is correct.
So even with a supercomputer the 14 char suggestion by MS would currently be basically impossible to crack using brute force methods. You would need to try over 393,257,529,003,600,000 passwords per second to crack it within a year. So maybe with one million teraflop computers all going at it at the same time, you could get it in a year.
ASKER
I have decided to stick with our current 8 character password length and complexity settings and to change our expiration policy to 6 months.
This equals 9.8*10^55 so if they can crack it in 4 months (120 days) then they can try 9.46*10^48 per second (which I don't believe). So I think the 8 char limit is fine. However, every character you add multiplies the possible number of passwords by 62.
So if they could crack an 8 char in 4 months, it would take 4*62 = 248 months > 20 years to crack a 9 character one.
So add one character and now you're good for a 20 year limit.