Skip to Content.
Sympa Menu

assurance - RE: [Assurance] Password scheme design tool...

Subject: Assurance

List archive

RE: [Assurance] Password scheme design tool...

Chronological Thread 
  • From: "Thomas P. Callaci" <>
  • To:
  • Subject: RE: [Assurance] Password scheme design tool...
  • Date: Tue, 13 Dec 2011 16:36:09 -0600
  • Organization: University of Wisconsin - Madison

My Apologies to everyone.
The Excel doc last sent out was not the fully functional version.
Also, I mixed up my audiences and sent too little information in the first
The tool is handy and I'm a nice guy, so I hope you give both a second

My original goal for creating the tool remains true - to allow/cause
PRODUCTIVE conversations toward agreement of a parameter set for the needs
of a given organization and their desired LOA (1 or 2).

The idea is a room full of people ready to argue why passwords can't be x
characters longer or why y number of days is too short between changes etc.
Open the Entropenator and start using the sliders to meet the "business
needs" or campus requirements. (See attached MSWord doc for some examples)
I often say "We can use the Entropenator to avoid political-religious,
passionate but non-productive, debates.
Two formats are available in the workbook. One for user selected password.
And another for passwords chosen at random and assigned to the user. (In
which case the min-entropy and guessing entropy are equal.)
My original is the sheet "94 characters." Some folks are used to this
format so I have left it in there.
**The assumption is that your systems allow the use of any of 94 characters
on a keyboard.**
Each table shows, BY COLOR, if you hit LOA1 or 2 for a given password
length, taking into account the lockout time, # of failed guesses and
password lifetime.
These last three parameters change as you use the sliders in columns b, c
and d.

*The first table - no bonuses. You just allow anything to be used.
*The second table - some bonuses, my best estimate of how much bonus based
on reading NIST SP800-63 over and over. You have some variety of complexity
rules, similar to those we may see in an Active Directory setup.
*Third table - all that plus a 50,000+ word dictionary check. All entries
in the dictionary MUST be passwords that DO follow the complexity rules and
are now forbidden because they are too easy to guess.

(The 10-characters sheet follows a similar structure. It was made for
someone who was dealing with a voice mail system and only 10 characters. )

-----Random(Non-User) ----
This newer version sheet is a different format both for sliders and colors:
You set your # of characters in cell O5. It is currently set and 95.
H (as discussed in NIST SP 800-63 ) is presented in column Q for those
Now, you have sliders for
Lockout column B
# of guesses C
Lifetime D
And password length in L

For the current example,
8 Characters, from 95 possible
15 minutes lockout
42 guesses before lockout
10 years life time before change forced

The approx 53 bits entropy far exceed what is required by LOA2 (the green
shaded numbers).

On this sheet, off to the side is another little tool to help with
discussions of how long before LOA needs to be decremented if an online
attack runs at x guesses/second. Depending on the location of the attacker,
anything from 0.1 to 128 guesses/second are within reason. This tool offers
a scale of 1-128 gps.


P.S. in future versions, I'll have one table with variable password lengths
and complexity bonuses. Like NIST, I'm happy to share, but not staffed for
the whole support thing. :)

Thomas P. Callaci
Information Security Risk Analyst
Office of Campus Information Security
University of Wisconsin - Madison
1210 W. Dayton Street
Madison, WI 53706


-----Original Message-----

On Behalf Of David Bantz
Sent: Tuesday, December 13, 2011 3:22 PM
Thomas P. Callaci
Subject: Re: [Assurance] Password scheme design tool...

A nice presentation. "Etropenator" does not contain the "bonuses"
in the older CommonCAP spreadsheet for prohibiting use of
username, recurring characters, and simple strings.
Is that a decision to deprecate those sources of entropy
or just a simplification?

David Bantz

On Tue, 13 Dec 2011, at 09:30 , Thomas P. Callaci wrote:

> I can humbly offer my Excel doc.
> One sheet with "sliders" for user selected passwords and a different sheet
> for "randomly chosen & assigned" passwords.
> This is my latest rev. All versions are "beta". :)
> Tom
> Thomas P. Callaci
> Information Security Risk Analyst
> Office of Campus Information Security
> University of Wisconsin - Madison
> 1210 W. Dayton Street
> Madison, WI 53706

Attachment: entropenator_expanded-draft2.xlsx
Description: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

Attachment: A Study of various combinations of password rule parameters v3.docx
Description: application/vnd.openxmlformats-officedocument.wordprocessingml.document

Archive powered by MHonArc 2.6.16.

Top of Page