When reporting password cracking activities, which metric should be documented for each account to help assess timing against policy?

The key idea is to capture the actual time it takes to crack each account. Recording the time to crack provides a direct, comparable measure of how quickly a password could be compromised under the tested conditions, which you can then map against the organization’s password policy and defense thresholds (like required complexity, length, and lockout timing). This helps you assess whether the policy slows attackers enough and where gaps might exist. Why the other possibilities aren’t as useful for this purpose: attacker name isn’t a metric of cracking performance or policy effectiveness, password length varies by account and isn’t a timing metric, and network path describes connectivity rather than the effort or speed of cracking.