Saturday, December 16, 2006

How to defend Password Guessing

We all would have experienced the pain of having to change passwords after every "X" days in some system, mostly our corporate mail a/c. This "X" is usually derived from a formula composed by Anderson. Let P be the probability that a cracker could guess the password and G is the number of guesses that could be tested in one time unit and T is the time units during which the guessing occurs and N be the number of possible passwords, then P >= TG/N. Let me give an example.
Suppose your are allowed to choose a password which is 6 chars long and the password can contain only a-z, A-Z, 0-9. If the attacker could guess 10,000 pwd /sec. If the probability that a cracker could guess is 0.5 then what is the time frame in which the password would be compromised ?
Here P = 0.5
G = 10,000
N = A^S where A is the no of allowed chars in the password and S is the length of the password. Here A - 26 + 26 + 10 = 62 and S - 6, so N = 62 ^ 6
Now we want to find T and from Anderson's formula, T <= NP/G
T <= 62 ^ 6 * 0.5 / 10,000
<= 2,840,012 sec
<= 33 days
So the password needs to be changed every 33 days so that the probability for the password getting compromised is 0.5. I think the corporates would use the same formula for their security policies.
A good essay on real world password analysis from schneier here

No comments: