How long would brute force take to crack an 8 char password if you are locked out after 3 or 4 attempts?
This of course would also hinge on how long the lockout is for, lets assume for this example that the lockout is for only 1 second and after 4 attempts, each of which take 1 second. So each 4 attempts takes 5 seconds. Brute force is trying every combination of characters for a given password. Longer passwords are obviously harder to brute force, and of course it slows the process considerably NOT knowing the length, you have to try everything starting at a certain length (the minimum, if known) and just try everything. For this example lets say the minimum and maximum length is 8 chars. Just to dumb it down a little further we will limit our character set to only the 26 letters numbers and the symbols on the number keys. There are other symbols but just for this example we'll try to keep it simple. In a case sensitive environment that would be 72 character possibilities (upper and lower case letters, the 10 numbers and 10 symbols). 72 to the 8th power then, or 722,204,136,308,736, or roughly 722 Trillion possibilities. Lets say we get lucky (REALLY lucky) and we crack the password on only the 4 trillionth try (thats not even 1% of the way through all the possible combinations yet). 4 trillion tries in our scenario will take 5 trillion seconds because of the lockout, that converts to about 1,388,888,888 hours, or 57,870,370 days... amounting to roughly 158,440 years. but this is a very slow example based on a situation WITH a lock out and limitations of having to input the passwords over a network connection, trying to get into a live machine that is on a domain.
Again in this scenario we are doing one attempt per second, even a desktop computer could try more passwords than that in a second, but this calls into play now we would have to have access to the hive file that contains the password, not just attempting it over the network. This would be a MUCH faster way of doing it and can be attacked as quickly as hardware will allow, however, even if we increased the amount of attacks per second WITHOUT lockout because its not subject to that now that it's offline and fully available to the attacker, the time still stays relatively long. Now we get 5 every 5 seconds instead of 4, which lands us at 126,839 years. If we do 10 per second it should take us a tenth the time... so 12,683.9 Years... 10 times again, another tenth the time and so on... 100 guesses a second 1,268.39 Years
1,000 guesses/sec = 126.83 Years
10,000 Guesses/sec = 12.68 Years
100,000 Guesses/sec = 1.26 Years
1,000,000 Guesses/sec = .126 Years
Finally in the 1 mil guesses a second range we have a number we can work with, .126 years (roughly), this is below most standard 60 and 90 day password reset policies at about 46 days. But at what cost? All passwords can be cracked by brute force but the hardware to crack them fast enough costs too much or doesnt exist, which then starts to move back towards the impossible or at least implausible. The ROI isnt worthit to crack one password in an organisation that might yield a few hundred thousand bucks in stolen information when the computer necessary to crack the password fast enough costs 10 million dollars. if passwords were never reset, slower machines could be given a few years to chew on a password and maybe get somewhere. hence, we reset them. All arbitrary numbers here but thats the basic idea.
Active Directory may allow it, but that doesn't mean that setting shouldn't get corrected during an audit. I used to work for a company that would run multiple automated daily checks for such things, correct them and report on it. If I'm not mistaken, this sort of thing is required to be PCI compliant. That company even went a step further and would audit those type of settings changes to find out who changed it so they could take corrective action if a particular person was found to be repeatedly/knowingly changing settings that took the company out of compliance.
A no tell policy should be a given. That's a smart move to put that into place because it should have been in place already. To me, it's utterly ridiculous that anyone should tell anyone else their password for any reason. If someone needs access to someone else's account, the password should be reset to a temporary password during troubleshooting or whatever is going on, then reset again once the activity is over with. During the transition, you should test the employees, too. Ask for their password sometime and report to their boss whether or not they handed it over or not and let their boss ream them a new one if they give it up.
Yeah it's something that falls into the "what a pain in the rear" category, both for the admin and the user, but it can't be helped, in order to prevent attacks like that, you HAVE to have a rule like this in place. I'm currently working towards CASP and CISSP certification, im thinking once i achieve one or both, they might actually start to implement some of the stuff i suggest. heh.