Well, I was wandering around with an 80% dictionary attack number stuck in my head (too many l0phtcrack reports, perhaps), when I decided to see if I could actually find some published data.
There are a few minor articles that say a 30% dictionary attack is typical, with 5-10% username attack, but they never produce a breakdown to make their numbers compelling, let alone convincing.
Then I happened to find a paper by Daniel Klein originally for the United Kingdom Unix User’s Group in 1990 called “Foiling the Cracker: A Survey of, and Improvements to, Password Security“:
13,797 accounts were tested from around the world. Page seven and eight give a breakdown on length and type of passwords:
“The results are quite disheartening. The total size of the dictionary was only 62,727 words (not counting various permutations). This is much smaller than the 250,000 word dictionary postulated at the beginning of this paper, yet armed even with this small dictionary, nearly 25% of the passwords were cracked!”
User name 2.7%
Common name 4.0%
Female names 1.2%
Phrases and patterns 1.8%
Dictionary words 7.4%
And so on…
6 characters 1160 34.7%
7 characters 813 24.4%
8 characters 780 23.4%
I find the numbers on character length surprising since they seem very similar to what I encounter today. Best practices have struggled to get beyond the six characters mark for years (partly due to system limitations, but mostly due to user resistance to an eight character minimum).
Thus, before we can draw too many conclusions about length we have to consider the relationship between the age of the systems, the experience of the administrators, and the skill of the users.
An excellent paper. I highly recommend it, especially since it underscores the extant body of knowledge regarding password cracking. And yes, I am serious about the 80% number I mentioned, but my data is much more recent than 1990. People are usually so embarrassed/scared by their own data that I will have to be extremely careful with how/where/when I present detailed findings, but I also feel that someone has to step up and try to establish a new baseline. What should be considered “reasonable”?