Password Policy

For the past few years my company has been using a password policy that I crafted based on reading various online tech articles. Our current policy is to require password changes every 4 months, to require an 8 character minimum and to require the standard Microsoft complexity (3 of the following 4: Capital letter, lowercase letter,  number and alphanumeric).

The design of this policy will supposedly protect us against a brute force attack. Such an attack will allegedly take 4 months to run through every possible combination of characters in a complex password with a length of 8 characters.

I would like to increase the complexity of the password in exchange for an increased password age of 6 months. Every time a password cycle hits we have a rash of issues with users forgetting their new password, their mobile phones' email not working because of their cache needing to be cleared (battery removal trick) or some other password related issues.

The question is: what minimum password length would be required to maintain the same level of security at a 6 month maximum password age?

If the formula is a linear one, I would think it would be:

   (8-characters) * (6-months) / (4-months) = 12 characters


But, I'm not confident in my simple assumptions.
:)

S.
 

slamondAsked:
Who is Participating?
 
TommySzalapskiCommented:
The real reason to have a time limit on passwords is because people get sloppy and use the same one for too many things or leave it somewhere or get tricked into typing it somewhere that it can be stolen or something like that. People who want to crack passwords usually try on a large group of users at a time hoping one of them managed to get a weak password in there.
If my password is Szalapski83 then it will pass your test and survive a brute force attack, but most attackers will crack it in seconds (especially if they know that 83 is my birth year). Even more important than moving from 8 to 9 characters is convincing people not to use real words, names, or dates in their passwords.
0
 
TommySzalapskiCommented:
It's not even close to linear. If you are using upper and lower case and digits then there are 26+26+10=62 characters to choose from so for a length of 8 there are 8^62 possible passwords.
This equals 9.8*10^55 so if they can crack it in 4 months (120 days) then they can try 9.46*10^48 per second (which I don't believe). So I think the 8 char limit is fine. However, every character you add multiplies the possible number of passwords by 62.
So if they could crack an 8 char in 4 months, it would take 4*62 = 248 months > 20 years to crack a 9 character one.
So add one character and now you're good for a 20 year limit.
0
 
aburrCommented:
"If the formula is a linear one,:"
The formula is not linear, it is much more favorable.
in one character you have 62 or so possible passwords, with 2 characters you have many many more than 124 possible combinations. (almost 4000)
A possible strategy would be to lock out password tries for say an hour after 10 or so bad tries.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
pjamCommented:
Microsoft recommends 14 long at:
http://www.microsoft.com/security/online-privacy/passwords-create.aspx

The problem as I see it with long passwords or difficult passwords is that my users start writing them down and placing close to their computer.

Not sure any kind of formula will help.  

We change ours every three months with the same criteria you use, but if you check that for strength at the above link it reports weak.  LOL

Extending the length also increases tha possibility that someone else will discover their password somehow and internal is probably more of a problem than external theft of data/info.

0
 
Kris MontgomeryCommented:
Do you have a account lockout policy?  If you have a 3-attempt lockout for 5-15 minutes, any recommended age you would like.

Thanks.
mug
0
 
slamondAuthor Commented:
Tommy, thanks for the input. I'll just wait for a few other responses before making any final decision.

I DID want to ask one more question, that would be more addressed to those experts that are familiar with Microsoft's Active Directory (in our Windows 2033 SBS environment).
If and when I make a password policy change, how does it immediately impact users, so I can let them know what to expect. That is, will they be required to immediately change their password, or change it upon next login, or will they only be required to change it when their current password expires?
0
 
slamondAuthor Commented:
"Windows 2003" not "2033". Couldn't find an EDIT button (should have proof read).
S.
0
 
TommySzalapskiCommented:
You can click a button to immediately expire everyone's passwords. Otherwise it will implement the change the next time they change their passwords.
0
 
TommySzalapskiCommented:
A possible strategy would be to lock out password tries for say an hour after 10 or so bad tries.
This doesn't stop brute force attacks since they are usually done by grabbing the SAM file and running the attacks on that on their own computers. Otherwise they could only try a few passwords per second and a 4 character password would be secure.
0
 
slamondAuthor Commented:
As an aside, I found this claim on a hacker site's message board. It's part of a post titled "Cracking the SAM File" and has some interesting references to machine and program capabilities:

"Most of these programs test about 4 to 5 million passwords per second, at least on my machine, so if the password if below 7 characters, it should be able to crack it in one day. However, if the password is 7 or more characters in length, then it will take a substantial amount of time. When I did this, my password was 7 characters in length and it took my computer just over 3 days to crack it."

It would be interesting to use the (7 characters = 3 days) benchmark and reapply the math.
I would assume it would be:

   8 characters = 3 days * 62 = 186 days (26 weeks or 6 months)
0
 
TommySzalapskiCommented:
I accidentally flipped my formula and wrote 8^62 instead of 62^8 like it should have been.
The 4 month figure assumes only 21 million per second which is doable. So that makes more sense.
The multiplying by 62 for each added character was correct so all of that is still right.

7 characters in three days (if you assume the same set of 62) means 13.6 million per second.
0
 
TommySzalapskiCommented:
If you use his 5,000,000 per second number and only upper and lower case then you could crack it in 2 days and 9 hours (which may be where he got his 3 day number from)
0
 
TommySzalapskiCommented:
The formula is just chars^length and then you divide that by however many you can do per second or per day or whatever.

I would assume it would be:    8 characters = 3 days * 62 = 186 days (26 weeks or 6 months)
Absolutely. That is correct.

So even with a supercomputer the 14 char suggestion by MS would currently be basically impossible to crack using brute force methods. You would need to try over 393,257,529,003,600,000 passwords per second to crack it within a year. So maybe with one million teraflop computers all going at it at the same time, you could get it in a year.
0
 
slamondAuthor Commented:
I have decided to stick with our current 8 character password length and complexity settings and to change our expiration policy to 6 months.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.