What makes it to add in policy- To make it hard for malicious user to discover a password. In todays Fast computing world it is more susceptible than ever.

 

Here is behind the story. Let’s discuss 3 scenarios

 

Case

Password length

Characters allowed

# of days

Case 1

6

94(Upper, Lower chars, Numbers & Special chars )

70

Case 2

8

94(Upper, Lower chars, Numbers & Special chars)

70

Case 3

8

62 (Alpha Numeric)

70

 

Case # 1

 

When you enforce password complexity with a password length of 6 and set the password to expire in 70 days, a user can choose from a permutation of:

 

1.     26 lowercase characters

2.     26 uppercase characters

3.     32 special characters

4.     10 numbers

 

This means that:

·         26 + 26 + 32 + 10 = 94 possible characters in a password

·         Password length policy = 6

·         946=  689,869,781,056 unique password permutations

·         70 Day Password expire policy

·         689,869,781,056 divide by (70 days* 24 hours*60 min*60 sec)= 114,066 .

·         114,066   attempts/second to discover the password before it *EXPIRE*.

 

Ø  133,077 attempts/second=   60 days Password Expire

Ø  114,066 attempts/second =  70 days Password Expire

Ø  99,808 attempts/second  =   80 days Password Expire

Ø  88,718 attempts/second  =   90 days Password Expire

Ø  79,846 attempts/second  =   100 days Password Expire

Case# 2

    

This means that:

·         26 + 26 + 32 + 10 = 94 possible characters in a password

·         Password length policy = 8

·         948=  6,095,689,385,410,816 unique password permutations

·         70 Day Password expire policy

·         6,095,689,385,410,816 divide by (70 days* 24 hours*60 min*60 sec)= ~ 1 Billion.

·         1 Billion attempt/second to discover the password before it *EXPIRE*.

 

Ø  1,175,866,007 attempts/second=  60 days Password Expire

Ø  1,007,885,149 attempts/second = 70 days Password Expire

Ø  881,899,505 attempts/second =    80 days Password Expire

Ø  783,910,671 attempts/second =    90 days Password Expire

Ø  705,519,604 attempts/second =   100 days Password Expire

 

 

Case# 3

 

This means that:

·         26 + 26 + 10 = 62 possible characters in a password

·         Password length policy = 8

·         628= 218,340,105,584,896 unique password permutations

·         70 Day Password expire policy

·         218,340,105,584,896 divided by (70 days* 24 hours*60 min*60 sec) = 36,101,208.

·         36,101,208   attempts/second to discover the password before it *EXPIRE*.

 

Ø  42,118,076 attempts/second   =    60 days Password Expire

Ø  36,101,208 attempts/second   =   70 days Password Expire

Ø  31,588,557 attempts/second   =   80 days Password Expire

Ø  28,078,717 attempts/second   =   90 days Password Expire

Ø  25,270,846 attempts/second   =   100 days Password Expire

 

 Note: - Account lockout policy is always there to save us.