It is really hard to answer this one because it really "all depends" on a lot of things - mainly how long it would take to test one password. This can vary with system set up - if the user has access to the password hashes, etc.
If you are trying to make up some stats you could do something like this (I assume you know this): 26 + 26 + 10 + 10 = 72 characters arranged 20 ways 20^72 * time to crack one password == a lot of time arranged 15 ways 15^72 * time to crack one password == a bit less time This is assuming there isn't some short cut to figuring out the password - like it is on a sticky note on someones monitor (which probably will happen if you are having such long passwords that are changing frequently). Laters, Dan On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<[email protected]> wrote: > > > > Does anyone know a good reference for listing password cracking times? I'm > trying to find some stats to determine if we should pick a 20+ character > password for service accounts and only change every 6 or 12 months or pick a > shorter password length (10-12 characters) and change every 90 days or so. > All passwords would be using all four character sets (Aa1!). > > > > Thanks. > > > > > > Craig L. Bowser > > CISSP SANS GSEC (Gold) > > ------------------------------- > > Nothing makes a person more productive than the last minute. - Contributed > by Jeff Pappas > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
