James,
The
password problem is not one of brute force. Believe me, I use these
figures frequently when discussing things with Executives, because Bink's chart
(BTW not a name loved in the MVP Community - and shame on MS for caving) is
very impressive. But, if I can grab some pertinent data (pwdump, etc.) and
use tools such as John the Ripper or L0phTCrack, then these numbers are
meaningless as the brute force element is no longer in play.
The
reason that it is important to change passwords on some relative frequency is
not because Stephen Bink is right - because he is - if pure math is all that is
at work. The reason to change passwords at some relative frequency is to
ensure that you are lessening the risk of compromise due to a number of other
factors that have nothing to do with brute force.
Let's
look at it from another perspective: Security is ALL ABOUT reducing the
Attack Surface. We as the Defenders have a hard job - we are required to
secure and strengthen each and every nook and cranny of our computers, OSs,
networks, buildings, etc. The attackers have an advantage - they can
attack that one small area that we missed or didn't bolster to a sufficient
level. And, if they can't get it immediately, they can chip away a little
bit at a time until they do in a very quiet and clandestine
way.
This
is why we change passwords frequently - because you just don't know who is using
your user's username and password.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, March 24,
2003 9:33 PMTo: [EMAIL PROTECTED]
http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc022703/wcblurb022703.asp
The
below is referenced from:
http://winxp.bink.nu/ :
Interesting
password points:
Password
length and possible permutations6 characters =
689,869,781,0567 characters = 64,847,759,419,2648 characters =
6,095,689,385,410,8169 characters = 572,994,802,228,616,70410 characters
= 53,861,511,409,489,970,176
Given a 60 day
password expiry date and a password of 7 characters, it would require about
7,407,407 logon attempts per second to find the passwordPlay the lottery,
the odds are much better!
Password
security recommendations:
Security Category
Account
Lockout Settings**
Password
Policy Settings
Cost
Max Password
Age
Password
Age
Password
Length
Low
-
-
-
3
42
0
0
disabled
Low
Medium
10
30
30
24
42
1
7
enabled
Medium
High
10
30
Infinite/0
24
42
1
8
enabled
High