Dropsafe

by Alec Muffett

Crypticide II: Passwords: there are too few of them.

Simply put: the problem with reusable passwords as a form of authentication is that there are too few of them.

This goes for all sorts of passwords in the modern day, not just Unix passwords; I find the latter particularly egregios for reasons that I will explain another time, but for the moment let’s speak about simple, short passwords.

The maths are easy: for example, if you have a 4-digit PIN code protecting an ATM card, there are 10,000 combinations, from 0000 through 9999; because there are ten digits and four fields to fill, the maths work out:

10 ^ 4 = 10,000 (“ten to the power of four”)

Following this, we can determine precisely the number of passwords that exist for any given authentication system.

The traditional Unix password algorithm accepts up to eight characters of 7-bit ASCII keyboard input; those characters which exceed 7 bits are stripped to fit. From the fact that passwords of eight characters or less, we have the following math, where there are n possible characters available to the typist:

1 + (the empty password)
n^1 + (all 1 character passwords)
n^2 + (all 2 character passwords)
n^3 + (…yadda…)
n^4 + (…yadda…)
n^5 + (…)
n^6 + (…)
n^7 + (…)
n^8 (…up to and including all 8 character passwords)

So: all we need do now is determine a value for n; this is debatable, but the basic count is easy:

26 uppercase letters: A-Z
26 lowercase letters: a-z
10 digits: 0-9
32 ASCII punctuation: !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~
1 SPACE

Making a basic total of 95 typeable characters; a long time ago I had a long discussion on USENET with the likes of Steve Bellovin and some others (alas apparently not archived on Google) regarding whether it was wise to include the likes of TAB and other control characters in the possible “typeable” password set.

The discussion was varied – and to be honest, politely inconclusive; TAB can be used to swap between input fields in GUI environments, Ctrl-A moves to the start-of-line in some likewise, Ctrl-H may or may not be interpreted as Backspace in raw line disciplines.

In short it’s a mess, so let’s stick to n = 95 and ignore internationalisation issues for the moment.

Therefore:

1+95^1+95^2+95^3+95^4+95^5+95^6+95^7+95^8 = 6,704,780,954,517,121

There are about 6.7 quadrillion “typeable” Unix passwords.

That’s not very many.

Really. Honestly. I mean it.

I’ll explain why, next thursday.

Comments

2 responses to “Crypticide II: Passwords: there are too few of them.”

  1. Mark Musante
    re: Crypticide II: Passwords: there are too few of them.

    But the distribution across the 6.7×10^15 passwords is uneven. Perhaps this is what you’re going to touch on in your followup. I would argue that the lowercase letters are more common than the uppercase lettters, which in turn are more common than the digits, which are more common than the punctuation.

    Actually, now that I think about it, digits are probably more common than uppercase. Anyway, can’t wait to read about why 6.7 quadrillion is not very many.

    Reply
  2. alecm
    re: Crypticide II: Passwords: there are too few of them.

    distribution, schmistribution… 😎

    I said there are too few passwords, period. What their content is, is immaterial.

    More next week. 😎

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts