Strength in numbers

It is commonplace for frequent users of the Internet to have multiple online accounts that require passwords. Advice and guidelines abound on the Internet on picking safe and strong passwords. They are usually common sense guidelines – e.g. it has to be long enough and it should not be easily guessed. Sometimes a long enough password may not be safe and secure. The word password is an 8-letter word but sits on top of just about every list of no-no passwords. On the other hand, the 8-character string such as kHgfDsAa is a reasonable choice.

Recently it was reported in Cnet.com that security researcher Troy Hunt has released a searchable tool that taps the database of previously compromised passwords (here’s the Cnet.com article and here’s the tool). There are 306 millions of them. Supposedly the utility of the tool is that no one should use the passwords in this list. The thinking is that 306 million is a large number, and since it is such a large number, the search database would be a public service.

A counting exercise is sometimes needed in order to get a proper perspective on password strength. How big is 306 million? Consider the total number of 8-character strings. It would be $26^8$ which is 208,827,064,576. This is 208 billion or 208,827 million, about 682 times of 306 million. The universe of 8-letter passwords is 682 times bigger than this searchable database tool. This universe of 208 billion 8-letter passwords is only for lower case passwords. If including case sensitive passwords, this would be even a much bigger universe. It can be even bigger by adding the possibility of numeric characters and special symbols. The following table gives the numbers of possible passwords from lengths of 8 to 12 (just letters, case insensitive).

Length Total Total
8-letter $26^8$ 208,827,064,576
9-letter $26^9$ 5,429,503,678,976
10-letter $26^{10}$ 141,167,095,653,376
11-letter $26^{11}$ 3,670,344,486,987,780
12-letter $26^{12}$ 95,428,956,661,682,200

It is a good idea to use the searchable tool. But bear in mind that any password that is reasonably long and reasonably strong is likely not to be in this list of 306 million. Note that the number of 12-letter case insensitive (letter only) passwords is 95,428 trillion! The passwords represented in this table alone would dwarf the 306 million in this searchable database.

Here’s a peculiar way to find strong passwords. This scheme is to produce 26-letter passwords such that every letter is known and is fixed! In fact, the first letter of the password is the first letter in the English alphabets, the second letter of the password is the second letter of the English alphabets and so on. The length of the password is long but every letter is fixed. This scheme is discussed in this blog post. This universe of passwords is not as big as the ones in the above table. But it is a big enough collection of possibilities that it is all but impossible to hack without computer help. There are 67,108,864 many different possibilities (over 67 million). How does this scheme work? Why is it that every letter is known but the passwords can be strong?

Curious? Think about it or go to this blog post. This particular scheme is a way to learn the concept of binomial distribution. Any one who understands this scheme understands binomial distribution.

Having to come up with multiple passwords for multiple online accounts is a fact of life in the age of the Internet. Having a good way to generate secure passwords is critical. Keeping track of all the passwords is definitely a challenge. Often times, what is overlooked is that thinking about passwords is a good way to get close to the mathematics of counting.

$\text{ }$

$\text{ }$

$\text{ }$

$\copyright$ 2017 – Dan Ma