John said:
Hello,
I need to know if there are any hard numbers availible
about cracking passwords. Some of my users are
complaining about needing to change their passwords "so
often", I've given them the usual speach about passwords
more than once and I need some factual numbers to show
everyone how quickly a password can be cracked and a
system/network comprimised. I seen articles in several
publications on this in the past.
Thank you.
personally i think forced changing of passwords is a waste of time.
requiring strong passwords is much more important. combine this with
automatic lockouts and auditing of failures and you are better off than
forcing users to change passwords regularly.
if the computer is lost or stolen, all bets are off. physical access to a
windows machine trumps passwords every time.
why strong passwords and lockouts instead of changing passwords? weak
passwords can be cracked quickly if the system does not automatically lock
out the account after a couple failures. strong passwords cause repeated
lockouts and should show in an audit of login failures pointing out that an
attack is in progress. if you are target of an attack and know it then you
can take other action as required to track and block it.
forcing users to change passwords regularly results in several undesirable
things:
1. users rotate some easily remembered password sequence, usually resulting
in weak passwords even if the system requires strong ones. passwords used
in a system that requires frequent changes are things like: Pass1234,
Asdf1234, David000, Fdsa0000, and other such minimum length combinations of
dictionary words and numbers... almost as easy to guess as weak passwords.
2. users forget passwords or mess up change process resulting in login
failures and more work for IT personel taking away their time from finding
and possibly masking real attacks.
3. probably more frequent use of yellow post-its to remember the current
password.
