## Saturday, December 16, 2006

### How to defend Password Guessing

We all would have experienced the pain of having to change passwords after every "X" days in some system, mostly our corporate mail a/c. This "X" is usually derived from a formula composed by Anderson. Let P be the probability that a cracker could guess the password and G is the number of guesses that could be tested in one time unit and T is the time units during which the guessing occurs and N be the number of possible passwords, then P >= TG/N. Let me give an example.
Suppose your are allowed to choose a password which is 6 chars long and the password can contain only a-z, A-Z, 0-9. If the attacker could guess 10,000 pwd /sec. If the probability that a cracker could guess is 0.5 then what is the time frame in which the password would be compromised ?
Here P = 0.5
G = 10,000
N = A^S where A is the no of allowed chars in the password and S is the length of the password. Here A - 26 + 26 + 10 = 62 and S - 6, so N = 62 ^ 6
Now we want to find T and from Anderson's formula, T <= NP/G
T <= 62 ^ 6 * 0.5 / 10,000
<= 2,840,012 sec
<= 33 days
So the password needs to be changed every 33 days so that the probability for the password getting compromised is 0.5. I think the corporates would use the same formula for their security policies.
A good essay on real world password analysis from schneier here