User talk:Jimowens

Combinatoric mathematics is a relatively simple idea, which pertains to counting finite sets. It is, however, a potentially very complex subject. When dealing with simple scenarios with few variables, the numbers are small and not hard to find. But as numbers grow and variations get more numerous, numbers grow exponentially. Sometimes it's difficult to sift through all these numbers in order to find a certain case of whatever chances one is calculating. For simplicity's sake, let's consider the case when we are trying to calculate the numbers associated with password making and code-breaking. Is it a good idea to require that one include at least one special character and at least one number in their password? Is a complicated and difficult to remember password harder to break than a long and simple collection of nouns? What technology is associated with code-breaking? First, Let’s start with some parameters.

With the restriction that a password be no more than 32 characters, and the characters consisting of the 26  letters of the English alphabet (doubled so that we consider the capitalizations), the ten one- digit numbers, and fourteen special characters, the number of possibilities is

76^32+76^31+...+76^2+76+1 = 1.5552037*10^60

Where there are 76^32  ways to use all 32 characters for the password,  76^31  ways to use  31  of the spaces,  etc...

This is an obscenely large number. Through simple manipulation, we see that

76^32+76^31+...+76^2+76+1 = (76^33-1)/ 75

but with this, we have a number of issues. First, we have a large number of passwords using fewer than eight characters.

For this, we have to subtract

76^8+76^7+...+76+1

Second, we have passwords that are invalid because they have not used numbers.

To negate this, we must subtract

10^32+10^31+...+10+1

Third, we have passwords that are invalid because they have not used any special characters.

To negate this, we must subtract

14^32+14^31+...+14+1

But, we accidentally subtracted the passwords, which were missing both the numbers and the special characters.

To counter this, we must add

52!

This represents the principle of Inclusion/Exclusion.

This leads us to an immensely large number. It is actually the same as our original number of 1.552037*10^60  When it comes to the nature of people trying to crack codes for nefarious purposes, it is much more reasonable to develop a program that can run through different combinations of passwords than try to solve them by guessing. As a result, the code-breaking is left to straight-forward algorithms.

Therefore, one could easily conclude that one randomly arranged set of letters takes as long to break as another of the same count. For this reason, It can be asserted that very difficult to remember and complicated password serves only to make it more difficult for a person to guess, not a computer program. So why would we want to have such a complicated and difficult to remember password if we could have an equally difficult to break password that is very easy to remember?

I claim that one can use a long string of letters and numbers that are easy to remember and maximally difficult to break. For instance, were one to use "allhappyh0rsescantalk," which is an easy statement to remember, this would take as long to break as "di7fUl)598 %du&i4@wq." It would also take 1,000,000,000 times longer to find this password than a ten-digit randomly arranged password.

Let’s assume the code-breaking program isn’t a brute force breaker, like the recent Open Computing Language (Open CL) framework and a technology known as Virtual Open CL (VCL), which are used in concert to run the “Hashcat” password-cracking program. This program can run 348 billion low-level encrypted passwords a second. It also checks on combinations of words from a wordlist or dictionary, so we will change our password to “allhappyh0rsescantalk.” Even with this impressive power, it can take 5.5 hours to break an eight-character password with no restrictions (95^8 possible).

Say it takes a program one second for 1,000,000,000 guesses (this sounds like a lot, but it seems that nowadays, it's not asking that much). One ten-digit password with one randomly chosen noun of length 8, with four vowels that are available to have special characters substituted in, and two random numbers, this gives us

26*25*24*23*10*9*(22*21*20*19+22*21*20*14+22*21*14*13+22*14*13*12+14*13*12*11)=1.4889066x10^13

It would take less than one day to break this password, as 6*10^9*3600*24 = 5.184*10^  14

But were we to ask the same program to find our password, "allhappyh0rsescantalk," we have

50^20+...+50^8-(10^20+...+10^8)-(14^20+...+14^8)+ (52!)

which is 9.7313706*10^33  and is almost an immeasurably large number. Although this password is simple and easy to remember, it is vastly more difficult for a computer to crack than in the past.

As one might suspect, hackers have not been sitting idly by in this battle for security. Recently, there have been over 100 million passwords leaked by hackers who have broken into mainframes operated by companies like LinkedIn, Twitter, and many other large websites. These passwords can be used almost as a case study in password continuity. From this, passwords are weaker than ever, especially when it comes to those who the patterns discovered by these hackers' handiwork. Some indicate that a large majority of people capitalize the first letter and don't capitalize the others, and the last three or four digits are normally numbers. Now, instead of having to try passwords from aaaaa0000 to ZZZZZ9999, their programs are retrofitted just to try 50*26*26*26*26*10*10*10*10 = 237,600,000,000, which is much fewer than the arbitrary key strokes of 76^9 = 8.4590644*10^16. It is easy to see the disadvantage one has if a password is flippantly chosen as well.

This is an example of how knowing certain aspects of a password can make a password easier to crack. For instance, if one has a regular eight-digit password they use and are activating an account with a service that requires one add a number or a special character, it is very likely they will simply add them to the end of the password. This takes the number of possibilities from 76^8 = 1.1130348*10^15 to 26^7*24 = 1.92763*10^11 or fewer. This is about one thousandth the random arrangement. It is feasible to think that requiring a special character or a number can make a password easier to break if the user opts only to add the required elements onto a previously chosen string of characters that are only letters.

With this information, it is more important than ever to select a password that doesn't fit into the parameters of the retrofitted algorithms of hackers, as well as one that isn't easily forgotten. We have seen that making a longer and more easy to remember password is much more difficult to break than a shorter, simpler one. With this, it is the hope of the author to spread awareness of this subject, thereby strengthening everyone's online security.

Sources:

http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/

http://arstechnica.com/security/2012/08/passwords-under-assault/