We all would have experienced the pain of having to change passwords after every "X" days in some system, mostly our corporate mail a/c. This "X" is usually derived from a formula composed by Anderson. Let P be the probability that a cracker could guess the password and G is the number of guesses that could be tested in one time unit and T is the time units during which the guessing occurs and N be the number of possible passwords, then P >= TG/N. Let me give an example.

Suppose your are allowed to choose a password which is 6 chars long and the password can contain only a-z, A-Z, 0-9. If the attacker could guess 10,000 pwd /sec. If the probability that a cracker could guess is 0.5 then what is the time frame in which the password would be compromised ?

Here P = 0.5

G = 10,000

N = A^S where A is the no of allowed chars in the password and S is the length of the password. Here A - 26 + 26 + 10 = 62 and S - 6, so N = 62 ^ 6

Now we want to find T and from Anderson's formula, T <= NP/G

T <= 62 ^ 6 * 0.5 / 10,000

<= 2,840,012 sec

<= 33 days

So the password needs to be changed every 33 days so that the probability for the password getting compromised is 0.5. I think the corporates would use the same formula for their security policies.

A good essay on real world password analysis from schneier here

## No comments:

Post a Comment