Boring Password StatisticsPer Thorsheim
CISA, CISM, CISSP-ISSAP
Passwords^XX - Archives
http://ftp.ii.uib.no/pub/passwords10//pub/finse2011/
/pub/passwords11/
«The Exception»
The Exception - #1Minimum lengthChange frequencyPassword agePassword historyAccount lockoutReset logon countLockout duration
3900 (days)05 attempts30 minutes30 minutes
The Exception - #2# of accountsUsername =
passwordPassword never
expiresNo Pwd change >
14m+
632193215305
The Exception - #3
Letters only Digits only Letters and Digits Letters & Specials Letters, Digits & Specials
0
50
100
150
200
250
300
350
400
450409
9
201
1 3
Entropy, anyone? (NIST SP800-63)
Password type
Nu
mb
er o
f A
cco
un
ts
The Exception - #4
2 char 3 char 4 char 5 char 6 char 7 char 8 char 9 char 10 char 11 char 12 char 13 char 14 char0
50
100
150
200
250
300
1
2110
49
254
144
85
2315
5 9 3 7
Password Length Distribution
Nu
mb
er
of
Ac
co
un
ts
MinimumLength
The Exception - #5
RockYou statistics: Second most common password in the world
«176»
176 humansUp to 24 generations of passwords available
Length distribution
7 8 9 10 11 12 13 14 150
5
10
15
20
25
30
35
40
45
50
Minimum length requirement
Pos 1
Pos 2
Pos 3
Pos 4
Pos 5
Pos 6
Pos 7
Pos 8
Pos 9
Pos 10
Pos 11
Pos 12
Pos 13
Pos 14
01020304050
Per Position Entropy – LM/NTLMLM (case insensitive)
Pos 1
Pos 2
Pos 3
Pos 4
Pos 5
Pos 6
Pos 7
Pos 8
Pos 9
Pos 10
Pos 11
Pos 12
Pos 13
Pos 14
0
20
40
60NTLM (Case Sensitive)
# Unique Characters (NTLM)
1 2 3 4 5 6 7 8 9 10 11 12 130
5
10
15
20
25
30
35
40
45
Password formats (NTLM)
ULL
LLLN
N
ULL
LLNNN
ULL
LLLN
NNN
ULL
LLNNNN
ULL
LLLL
LNN
ULL
LLLL
NNNN
ULL
LLLL
LNNNN
ULL
LNNNN
ULL
LLLL
LN02468
10121416
Password changes
«Blondes have the…»
Thank You! ;-)
Questions?