Password Cracking and Guessing

I was reading at ars technica about gpu-cluster-cracks-every-standard-windows-password-in-6-hours (can not post a link for some reason)
and thinking that is all well and good, but how long will it take to use all those guesses?
How many passwords per second will the system being attacked accept?

The logical thinking must be wrong - accepting an attempt every 15 seconds from any single IP for a server OS and a flat one try every 15 seconds from anywhere for a non-server OS would render brute force attempts futile due to the time required. Or is this simple security idea impossible?

How many logins per second will my Windows 7 Pro at home accept when accessed remotely? I have been unable to find the answer.

 

The article does state that: "The technique doesn't apply to online attacks, because, among other reasons, most websites limit the number of guesses that can be made for a given account."

Also note that the machine was working against 8 character passwords. After you have included a number, an upper case character and a special symbol, password length is the factor that protects you.

One source I use to test passwords (Assuming one hundred trillion guesses per second) indicates that an 8 character password like P@ssw0rd could be cracked in 1.12 minutes. Note this password has the 3 things covered...

Change that password to P@ssw0rd12345678 and the time shoots up to something like 1.41 hundred million centuries.

 

Good info, thanks.
Back to the original question, how many tries per second does Win 7 allow and can I change it?
How about our server?

 

I'm seeing info that windows 7 may allow on the order of a few hundred/second under the best conditions. of course web based attacks would be limited by what the server would allow, presumably much less.

I don't think you can change this parameter, its a part of the OS code...

 

Ahh, thanks much and I am off to the Win7 forums to suggest this change.

 

You don't need to crack a windows password they can be bypassed much quicker. But if you must have the password, then I'd say the attack would be on the hash file, not a brute force log in attempt.

Win 98
http://mattiasgeniar.be/2008/10/01/how-to-bypass-windows-98s-security-system/

 

Absolutely. If one has physical access to the machine and any of several 'nix based crack programs on a bootable CD and available all over the place, they're in. The admin password can be changed in a few seconds. Many techs have and use these disks legitimately in the case of a forgotten user password, but the possibility of abuse is great.

Even if boot options are configured to disallow boot from CD/DVD, most people do not password protect BIOS which would stop the average bad guy. A more knowledgable individual with physical access can pop out the battery and reset the machine to default, which is no BIOS password protection and proceed from there.

Physical security of the machine is the critical thing as far as the Windows password is concerned.

 

Learning a lot here, thanks.
Our machines are physically secure, just checking on the rest.