Saturday, October 11, 2008

More password cracking statistics

In my last post I talked about how we anonymized our password database, and took a random sample of hashes to attack with a dictionary. In this post I'd like to talk about the results that we got when we took the same random sample and attacked it with rainbow tables.

I have to say that even I was shocked at this statistics: 84.07% of the passwords in the sample were broken by the rainbow table attack. Incidentally we used Ophcrack with the fast windows xp table.

The average length of a cracked password was 7.84 characters with a standard deviation of 1.70 characters. I still see a lot of password policies written that prescribe passwords to be at least 8 characters long. Statistically speaking, almost half of the broken passwords were at least 8 characters long.

Of the broken passwords, only 2 had four character types. Not 2%, but 2. As a percentage it was 0.22%. 12.15% had three character types, 40.69% had three character types, and 44.82% had only one character type.

As I mentioned in my previous post, I plan to use this data after we've implemented our new password policy to measure its success. It would be interesting to know if other organizations audit their passwords like this and what kind of statistics they have found.

No comments: