Crypticide II: Passwords: there are too few of them.
Simply put: the problem with reusable passwords as a form of
authentication is that there are too few of them.
This goes for all sorts of passwords in the modern day, not just Unix
passwords; I find the latter particularly egregios for reasons that I
will explain another time, but for the moment let’s speak about
simple, short passwords.
The maths are easy: for example, if you have a 4-digit PIN code
protecting an ATM card, there are 10,000 combinations, from 0000
through 9999; because there are ten digits and four fields to fill,
the maths work out:
10 ^ 4 = 10,000 (”ten to the power of four”)
Following this, we can determine precisely the number of passwords
that exist for any given authentication system.
The traditional Unix password algorithm accepts up to eight characters
of 7-bit ASCII keyboard input; those characters which exceed 7 bits
are stripped to fit. From the fact that passwords of eight characters
or less, we have the following math, where there are n possible
characters available to the typist:
1 + (the empty password)
n^1 + (all 1 character passwords)
n^2 + (all 2 character passwords)
n^3 + (…yadda…)
n^4 + (…yadda…)
n^5 + (…)
n^6 + (…)
n^7 + (…)
n^8 (…up to and including all 8 character passwords)
So: all we need do now is determine a value for n; this is
debatable, but the basic count is easy:
26 uppercase letters: A-Z
26 lowercase letters: a-z
10 digits: 0-9
32 ASCII punctuation: !”#$%&’()*+,-./:;<=>?@[\]^_`{|}~
1 SPACE
Making a basic total of 95 typeable characters; a long time ago I had a
long discussion on USENET with the likes of Steve Bellovin and some
others (alas apparently not archived on Google) regarding whether it
was wise to include the likes of TAB and other control characters in
the possible “typeable” password set.
The discussion was varied - and to be honest, politely inconclusive;
TAB can be used to swap between input fields in GUI environments,
Ctrl-A moves to the start-of-line in some likewise, Ctrl-H may or may
not be interpreted as Backspace in raw line disciplines.
In short it’s a mess, so let’s stick to n = 95 and ignore
internationalisation issues for the moment.
Therefore:
1+95^1+95^2+95^3+95^4+95^5+95^6+95^7+95^8 = 6,704,780,954,517,121
There are about 6.7 quadrillion “typeable” Unix passwords.
That’s not very many.
Really. Honestly. I mean it.
I’ll explain why, next thursday.
source: Crypticide II: Passwords: there are too few of them.
