# Excel password strength calculator

Roger Grimes , a well-known corporate security consultant , says he is tired of constantly explaining during the presentations the basic factors that influence the security of the organization’s password policy. He constantly explains why eight characters are not enough for password strength and what other factors can help an attacker to efficiently pick up a password. To simplify his task and demonstrate the weakness of the average password policy, Grimes compiled an Excel spreadsheet ( ZIP ), which took into account all factors: the range of valid characters, password length, the number of options per minute that an attacker can try, the maximum number of days before changing a password, entropy model.

The calculator shows how many days on average an attacker will need to pick up a password under given conditions, how many possible combinations exist at all and how many of them are real (taking into account real entropy). For example, in the default example with 94 characters and a password length of 8 characters with NIST entropy, the theoretical possible number of passwords exceeds 6 quadrillion, but the number of likely passwords taking into account the assumption of real entropy is only 16.8 million. To crack such protection for an acceptable amount days you need to be able to set the rate of selection of only 64.7 passwords per minute.

According to the author, this is the first calculator that calculates not the theoretical, but the practical speed of breaking password protection.

The calculator shows how many days on average an attacker will need to pick up a password under given conditions, how many possible combinations exist at all and how many of them are real (taking into account real entropy). For example, in the default example with 94 characters and a password length of 8 characters with NIST entropy, the theoretical possible number of passwords exceeds 6 quadrillion, but the number of likely passwords taking into account the assumption of real entropy is only 16.8 million. To crack such protection for an acceptable amount days you need to be able to set the rate of selection of only 64.7 passwords per minute.

According to the author, this is the first calculator that calculates not the theoretical, but the practical speed of breaking password protection.