This shows you the differences between two versions of the page.
|
passwdqc:rockyou [2013/05/05 02:46] solar added more data points, dropped the WolframAlpha query |
passwdqc:rockyou [2013/05/05 02:57] (current) solar removed 50k, added 300k and 3M |
||
|---|---|---|---|
| Line 11: | Line 11: | ||
| | Tested | Permitted | % of tested | | | Tested | Permitted | % of tested | | ||
| | 10,000 | 0 | 0% | | | 10,000 | 0 | 0% | | ||
| - | | 50,000 | 6 | 0.012% | | + | | 30,000 | 4 | 0.013% | |
| | 100,000 | 18 | 0.018% | | | 100,000 | 18 | 0.018% | | ||
| - | | 1,000,000 | 2,273 | 0.2273% | | + | | 300,000 | 166 | 0.055% | |
| + | | 1,000,000 | 2,273 | 0.227% | | ||
| + | | 3,000,000 | 43,175 | 1.439% | | ||
| | 10,000,000 | 290,991 | 2.910% | | | 10,000,000 | 290,991 | 2.910% | | ||
| | 14,344,391 | 494,291 | 3.446% | | | 14,344,391 | 494,291 | 3.446% | | ||
| Line 22: | Line 24: | ||
| | Tested | Permitted | % permitted | | | Tested | Permitted | % permitted | | ||
| | 10,000 | 0 | 0% | | | 10,000 | 0 | 0% | | ||
| - | | 50,000 | 13 | 0.026% | | + | | 30,000 | 7 | 0.023% | |
| | 100,000 | 35 | 0.035% | | | 100,000 | 35 | 0.035% | | ||
| - | | 1,000,000 | 2,333 | 0.2333% | | + | | 300,000 | 199 | 0.066% | |
| + | | 1,000,000 | 2,333 | 0.233% | | ||
| + | | 3,000,000 | 43,399 | 1.447% | | ||
| | 10,000,000 | 291,622 | 2.916% | | | 10,000,000 | 291,622 | 2.916% | | ||
| | 14,344,391 | 495,577 | 3.455% | | | 14,344,391 | 495,577 | 3.455% | | ||
| Line 31: | Line 35: | ||
| ===== What does this mean? ===== | ===== What does this mean? ===== | ||
| - | The very small percentages of permitted passwords for top 100,000 and top 1,000,000 are good: they indicate that the policy is working well, preventing those common and thus weak passwords from being set. The substantial increase in percentages of permitted passwords between 100,000 and 1,000,000, and between 1,000,000 and 10,000,000 are also good, indicating that less common passwords are indeed also less trivial and harder to crack, as far as passwdqc can estimate. What's not so good, although is mostly not passwdqc's fault, is that the percentage stays rather low even for the entire RockYou list. This means that among passwords that people like to choose there are few that are good enough, at least as far as passwdqc can estimate. | + | The very small percentages of permitted passwords for top 100,000 and top 1,000,000 are good: they indicate that the policy is working well, preventing those common and thus weak passwords from being set. The substantial increase in percentages of permitted passwords between 100,000 and 1,000,000, and between 1,000,000 and 10,000,000 are also good, indicating that less common passwords are indeed also less trivial and are harder to crack, as far as passwdqc can estimate. What's not so good, although is mostly not passwdqc's fault, is that the percentage stays rather low even for the entire RockYou list. This means that among passwords that people like to choose there are few that are good enough, at least as far as passwdqc can estimate. |
| Presumably, people actually wanted to set those passwords, and passwdqc's default policy only permits for a small minority of the passwords to be set. Thus, most people would probably consider the policy to be very strict and maybe annoying. This suggests that for typical uses there's hardly any room to make the policy even stricter. Given the results of [[http://www.openwall.com/lists/john-users/2011/02/20/2|testing on KoreLogic's DEFCON 2010 contest passwords]], we can also say that there's little or no room to relax the policy while not allowing a significant percentage of easily crackable passwords to pass. | Presumably, people actually wanted to set those passwords, and passwdqc's default policy only permits for a small minority of the passwords to be set. Thus, most people would probably consider the policy to be very strict and maybe annoying. This suggests that for typical uses there's hardly any room to make the policy even stricter. Given the results of [[http://www.openwall.com/lists/john-users/2011/02/20/2|testing on KoreLogic's DEFCON 2010 contest passwords]], we can also say that there's little or no room to relax the policy while not allowing a significant percentage of easily crackable passwords to pass. | ||