Excel calculator of real password strength

Well-known corporate security consultant Roger Grimes said that he was tired of constantly explaining during presentations the basic factors that affect the security of the password policy adopted in the organization. He constantly explains why eight characters are not enough for the reliability of passwords and what other factors can help an attacker to effectively choose a password. To simplify the task and demonstrate the weakness of the average password policy, Grimes created an Excel spreadsheet ( ZIP ), which took into account all factors: the range of valid characters, the password length, the number of options per minute that an attacker can try, the maximum number of days to change the password, entropy model.

The calculator shows how many days an average attacker will need to pick up a password under the given conditions, how many possible combinations there are and how many of them are real (taking into account the real entropy). For example, in the default example with 94 characters and a password length of 8 characters with NIST-entropy, the theoretical possible number of passwords exceeds 6 quadrillion, but the number of probable passwords, taking into account the assumption of real entropy, is only 16.8 million. For breaking this protection for the allowed number days you need to be able to set the speed of the selection of only 64.7 passwords per minute.

According to the author, this is the first calculator, which calculates not the theoretical, but the practical speed of hacking password protection.