Is there a standard method of proving password security to non-mathematicians?

Solution 1:

Using fail2ban with the iptables is a great way.

Here is the math for you:

Mixed upper and lower case alphabet and common symbols, 8 characters long, gives you 2.9 quadrillion conbinations and with 10,000 attempts a second will take 9,488 years. Thats the maximum of course - expect your password to be cracked in 4000 years. 1000 years if you're not feeling lucky.

As you can see you shouldn't have any issues if you do a 15 character password like:

dJ&3${bs2ujc"qX

Solution 2:

In addition to fail2ban,

If you're running any modern UNIX, you can generally change the bad password entry sleep time to up to 5 seconds, slowing the attack speed by 2000%. [Solaris 10 has it in /etc/default/login, search for SLEEPTIME] Which using the same tolerances would mean you could rotate the password every 3hrs 20 minutes.

Also, password tries before lockout would be a viable option, but I suspect it is not for you because you have multiple users sharing one account and do not want it locked out all the time.

Requiring a 12-15 character password helps, but if you are continually being attacked another solution is probably better. I don't know what your company's budget tolerance on this is, but RSA key cards for everyone who needs to log into that account would solve it as well. Two factor authentication pushes the probability out into quantum computing time.

The brute force approach going on long enough for you to post on this board is pretty surprising. Generally speaking it's pretty lowbrow and at best is a log filler while a real attack is going on.