A complex password that is enforced by the operating system is one of the
most effective methods that you can use to deter the opportunity for a
successful attack. When you configure both an expiration time and a minimum
length for a password, you decrease the time in which a successful attack
could occur. For example, when you enforce password complexity with a
password length of 6 and set the password to expire in 60 days, a user can
choose from a permutation of:
• 26 lowercase characters
• 26 uppercase characters
• 32 special characters
• 10 numbers
This means that:
• 26 + 26 + 32 + 10 = 94 possible characters in a password
• Password length policy = 6
• 946 = 689,869,781,056 unique password permutations
With a 60-day password expiration time, the malicious user would have to
make 133,076 password attempts every second to attempt all of the possible
passwords during that password's limited lifetime. If it takes only 50
percent of the permutations to guess the password, a malicious user would
have to attempt to log on to the computer about 66,538 (133,076 * .50) times
every second to discover the password before it expires.
To decrease the chances that a malicious user has to discover the password,
you can use a password length of 7. When you set the minimum password length
to 7, the possible password permutations exceed 64 trillion (947=
64,847,759,419,264). When you compare the calculations above that have a
password length of 6 to the calculations below that have a password length
of 7, you will notice that the malicious user would have to log on to the
computer about 6,254,606 times for each second that the password is valid in
the 60-day expiration time that you set.
The following list describes how increasing password length deters both
dictionary and brute force attacks. Note that the examples that are in this
list assume that you are have applied a policy that requires users to create
complex passwords. When you do this, there are 94 possible characters from
which the users can choose their password.
• 6 characters: 946 = 689,869,781,056
• 7 characters: 947 = 64,847,759,419,264
• 8 characters: 948 = 6,095,689,385,410,816
• 9 characters: 949 = 572,994,802,228,616,704
• 10 characters: 9410 = 53,861,511,409,489,970,176