Passwords & "Fun" Math

Created by Adam Murray
Jan 13, 2023
2 min read

The science and math behind the hackability of passwords is an interesting rabbit hole Marmot staff have fallen down as we plan for the Sierra passwords implementation. JB’s video demonstrating how quickly a brute force attack can churn through barcodes was eye opening. Brandon shared an article that helps explain the math behind password complexity, and the impact complexity has on hacker behavior.

In the article “The Mathematics of (Hacking) Passwords” the author explains that the number of possible combinations can be calculated by raising the number of possible characters by the length of the password field. For example, a four digit numerical PIN has ten possible characters (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) and a length of four. Hence, there are 104 (or 10,000) possible combinations for a four digit numerical PIN.

There are some fun “calculators” on the internet that calculate how long it would take a computer to crack a password. According to this calculator, the 10,000 possible combinations of a four digit numerical PIN can be cracked by a computer in 1 microsecond.

However, as a password gets longer and incorporates more options for the possible characters, the time required for a computer to crack a password gets much, much longer. Adding a letter to a numerical password adds 26 more possible combinations to each space in the length of the password. If that single letter is allowed to be upper or lowercase, it jumps to 52. A six digit password consisting only of numbers with both upper and lowercase letters has 626 (or 56,800,235,584) possible combinations. When special characters are added, the length of time required for a computer to crack password combinations becomes prohibitive to hackers. Even though brute force attacks are “set it and forget it” types of attacks, passwords that could take weeks or years to crack would deter most hackers.

One common complaint about complex passwords is how difficult it is to remember them. Modern best practices for passwords recommend the use of passphrases instead, using character replacement to make a seemingly common phrase become more secure. Using the same password calculator as above, a passphrase of AsYouWish with character replacements - 4sY0uW1sh - would take a computer two weeks to crack.

These simple methods of making passwords more secure, while still being manageable, are what Marmot staff encourage library staff to share with library patrons to make all their accounts, not just their library account, more secure.

Until next time, M@yth3F0rc3b3w1thY0u! (13 sextillion years)