Boring Password StatisticsPer Thorsheim

CISA, CISM, CISSP-ISSAP

Passwords^XX - Archives

http://ftp.ii.uib.no/pub/passwords10//pub/finse2011/

/pub/passwords11/

«The Exception»

The Exception - #1Minimum lengthChange frequencyPassword agePassword historyAccount lockoutReset logon countLockout duration

3900 (days)05 attempts30 minutes30 minutes

The Exception - #2# of accountsUsername =

passwordPassword never

expiresNo Pwd change >

14m+

632193215305

The Exception - #3

Letters only Digits only Letters and Digits Letters & Specials Letters, Digits & Specials

0

50

100

150

200

250

300

350

400

450409

9

201

1 3

Entropy, anyone? (NIST SP800-63)

Password type

Nu

mb

er o

f A

cco

un

ts

The Exception - #4

2 char 3 char 4 char 5 char 6 char 7 char 8 char 9 char 10 char 11 char 12 char 13 char 14 char0

50

100

150

200

250

300

1

2110

49

254

144

85

2315

5 9 3 7

Password Length Distribution

Nu

mb

er

of

Ac

co

un

ts

MinimumLength

The Exception - #5

RockYou statistics: Second most common password in the world

«176»

176 humansUp to 24 generations of passwords available

Length distribution

7 8 9 10 11 12 13 14 150

5

10

15

20

25

30

35

40

45

50

Minimum length requirement

Pos 1

Pos 2

Pos 3

Pos 4

Pos 5

Pos 6

Pos 7

Pos 8

Pos 9

Pos 10

Pos 11

Pos 12

Pos 13

Pos 14

01020304050

Per Position Entropy – LM/NTLMLM (case insensitive)

Pos 1

Pos 2

Pos 3

Pos 4

Pos 5

Pos 6

Pos 7

Pos 8

Pos 9

Pos 10

Pos 11

Pos 12

Pos 13

Pos 14

0

20

40

60NTLM (Case Sensitive)

# Unique Characters (NTLM)

1 2 3 4 5 6 7 8 9 10 11 12 130

5

10

15

20

25

30

35

40

45

Password formats (NTLM)

ULL

LLLN

N

ULL

LLNNN

ULL

LLLN

NNN

ULL

LLNNNN

ULL

LLLL

LNN

ULL

LLLL

NNNN

ULL

LLLL

LNNNN

ULL

LNNNN

ULL

LLLL

LN02468

10121416

Password changes

«Blondes have the…»

Thank You! ;-)

Questions?