Application of counting principles: strengths of passwords
BACKGROUND INFORMATION
In a time of living a near online life, cybersecurity has been an underlying principle of internet surfing. Cybersecurity is “the state or process of protecting and recovering computer systems, networks, devices, and programs from any type of cyber attack” (Tunggal, 2021). This form of security keeps data such as PII (personally identifiable information), PHI (protected health information), and sensitive data protected from hackers that may sell or use your personal information. As a heavily Instagram-based high-schooler, I have seen my friends’ Instagram accounts get hacked, and the hackers would use their identities to send out links to more victims. Worse consequences may result if cyber criminals steal your credit card information. However, old-school methods like antivirus and firewalls are no longer sufficient against advancing technology. The easiest way for everyone, especially students who might not know how to encrypt data, is to create a strong password.
Now, what defines a strong password? Before we answer that, let’s take a preliminary look at how we calculate the number of unique passwords possible for a certain length.
Using the fundamental counting principle, we can determine how many unique passwords a 4-number password can form.
The fundamental counting principle tells us the number of ways two or more events can occur. If m1 is the number of ways E1 can occur and m2 is the number of ways E2 can occur, the number of ways E1 and E2 can occur is m1 x m2.
For example, there are 10 possible numbers (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) to choose from and 4 possible spaces to enter them.
__ __ __ __
Each space can contain 1 of 10 numbers, therefore 10 ways space 1 can occur. Since there are 10 ways each of the other spaces can occur, the number of unique passwords 4 numbers can form is given by
10 · 10 · 10 · 10 = 10000 passwords
or 10⁴ = 10000 passwords
Now, you may think 10000 passwords are pretty strong already. The truth is, it takes an INSTANT for hackers to decode your 4-numbered password! (Fripp, 2021)
A “bit” is the smallest unit of data (binary), and the amount of data (bits) indicates how much computer work is required to crack your password, therefore how strong a password is. The more bits there are, the harder it is and the longer it will take for a hacker to find your password.
The number of bits needed to crack a password is given by the following equation:
1+integer(log2(N))
Where N is the number of unique passwords (sample space) and “integer” meaning taken to the nearest integer, omitting the decimal.
Let’s calculate how many bits are needed in the 4-numbered password above.
1+integer(log2(10000)) = 14 bits
Now we can discuss what makes a strong password. A strong password, as defined by The French National Cybersecurity Agency, comprises around 100 bits. The agency considered less than 64 bits to be very weak, 64 to 80 bits to be weak, 80–100 bits to be moderately strong, and larger than 128 to guarantee security for a few years (Delahaye, 2019).
So…we know now that a 4-numbered password is not the best to use for confidential information. Let’s explore the strengths of passwords with a given condition and how we can make a strong password, above 100 bits.
APPLICATION 1
First, let’s compare the strength of passwords with the SAME length, but under different conditions (symbols, alphabet, numbers).
Variable held constant: # of characters: 5
Variables: just lowercase alphabet, all upper and lowercase alphabet, all alphabets and at least one number, all alphabets, numbers, and symbols
Case 1: just lowercase alphabet
Each space has 26 different ways of happening because there are 26 lowercase alphabets.
26 26 26 26 26
The sample space (N) will be 26⁵, which is 11,881,376 unique passwords
Bits = 1+integer(log2(N)) = 1+integer(log2(11,881,376)) = 24 bits
Case 2: both uppercase and lowercase alphabet
Now, there are 26x2 = 52 ways of each space happening.
52 52 52 52 52
The sample space (N) will be 52⁵, which is 380,204,032 unique passwords
Bits = 1+integer(log2(N)) = 1+integer(log2(380,204,032)) = 29 bits
Case 3: all alphabets and at least one number
In this example, we will have 10 numbers: 0 1 2 3 4 5 6 7 8 9
Since we need to have at least one number, one space will be dedicated for ONLY numbers. The other ones can have anything, which is 10+52 = 62
10 62 62 62 62
The sample space (N) will be 10 · 62⁴, which is 147,763,360 unique passwords
Bits = 1+integer(log2(N)) = 1+integer(log2(147,763,360)) = 28 bits
Wait…if there are more variables, shouldn’t the bit size be larger? Well, since we need to have at least one number, this makes it easy for hackers to know that one space MUST contain a number. This narrows it down for hackers, therefore giving a smaller bit size.
Case 4: all alphabets, numbers, and symbols
A new variable is introduced: symbols! This will include ? ! @ # $ % & * + ~, 10 symbols. The number of ways one space can occur is 10+10+52, which is 72.
72 72 72 72 72
The sample space (N) will be 72⁵, which is 1,934,917,632 unique passwords
Bits = 1+integer(log2(N)) = 1+integer(log2(1,934,917,632)) = 31 bits
Conclusion: with the same number of characters, the more unrestricted variation in numbers, alphabet, and symbols, the stronger the password.
APPLICATION 3
Finally, how do we make a strong password over a hundred bits? Let’s look at the criteria! If we combine the characteristics of the strongest passwords, we can expand on that and find a password above 100 bits.
Let’s try 20 characters, with all alphabet, symbols, and numbers.
That would be 72²⁰, around 1.4 x 10³⁷
Bits = 1+integer(log2(N)) = 1+integer(log2(1.4 x 10³⁷)) = 124 bits
Wow!! This is already enough to stay secure for a couple of years!
What if we only need 100 bits with 72 possible ways for each space? Let’s do this in reverse:
1+integer(log2(N)) = 100 bits
integer(log2(N)) = 99 bits
N = 6.34 x 10²⁹
log72(6.34 x 10²⁹) = 16 characters/space
Conclusion: If could use all alphabets, numbers, and symbols, you need at least 16 characters to make your password strong.
After doing this application, I realized that my passwords are not strong AT ALL. Also, the fact that I use the same password for all my accounts, I feel like my personal information and data are at risk :(
Delahaye, J.-P. (2019). The Mathematics of (Hacking) Passwords. [online] Scientific American. Available at: https://www.scientificamerican.com/article/the-mathematics-of-hacking-passwords/.
Fripp, C. (2021). Use this chart to see how long it’ll take hackers to crack your passwords. [online] Komando.com. Available at: https://www.komando.com/security-privacy/check-your-password-strength/783192/.
Tunggal, A.T. (2021). Why is Cybersecurity Important? [online] www.upguard.com. Available at: https://www.upguard.com/blog/cybersecurity-important#:~:text=Cybersecurity%20is%20important%20because%20it.
