Yet another password WTF



  • The current password limitations for my bank's online banking are as follows:

    1. Your password must contain exactly 6 characters.
    2. Your password must contain at least 2 lowercase letters, at least 2 uppercase letters, and at least 2 numerals.

    That gives a sample space of... 4,112,784,000 passwords. That is not a good number.



  • I like those "at least"s there too.



  • @PSWorx said:

    I like those "at least"s there too.
    I do too, because there's no way to have more than 2 of them.



  • @curtmack said:

    That gives a sample space of... 4,112,784,000 passwords. That is not a good number.

    It's not correct, either.

    26 lowercase letters * 26 lowercase letters = 676 pairs of lowercase letters.

    26 uppercase letters * 26 uppercase letters = 676 pairs of uppercase letters.

    10 numerals * 10 numerals = 100 pairs of numerals.

    6! permutations of the above = 720.

    676 * 676 * 720 * 100 = 32,902,272,000.

    Your math was probably a little different:

    26 lowercase letters * 25 OTHER lowercase letters = 650 pairs of lowercase letters.

    26 uppercase letters * 25 OTHER uppercase letters = 650 pairs of uppercase letters.

    10 numerals * 9 OTHER numerals = 90 pairs of numerals.

    6! permutations of the above = 720.

    650 * 650 * 720 * 90 = 27,378,000,000.

    Wait, that's still a lot more than what you got. WTF did you do?



  •  There's not 720 permutations, there's 90.

    Start with L1L2U1U2N1N2, where we can distinguish between the two members of each class. Then there's indeed 720 permutations. But since the two members of each class are really interchangeable, there's actually 1/8 as many, or 90.



  •  Maybe itdoesn't just accept letters a-zA-Z, but any unicode letter instead. That would enlarge the space a lot.



  • @fourchan said:

     Maybe itdoesn't just accept letters a-zA-Z, but any unicode letter instead. That would enlarge the space a lot.

     

    Or maybe if you use Unicode letters checking will allow it, it will get mangled when saved to the database and then you will not be able to log in. Or Javascript will count it as 1 letter, server side will count it as 1 letter, but it will get saved as 2 letters (in a non-unicode database field) and since the field is defined as CHAR(6) your password will get cut and you wont be able to login.

    There are so many fun things that can happen with unicode if its not done properly :)



  • @curtmack said:

    That gives a sample space of... 4,112,784,000 passwords. That is not a good number.
     

    You're complaining about this? HAH! My bank gives (random?) user ids made of 8 digits and passwords made of 4 digits. Here are the WTFs of their login system:

    1. For any given user, there are 9,000 password combinations; yes, e
    2. I didn't notice any kind of limiting for failed login attempts (i made about 15 once, because I couldn't remember the last two digits of the password)
    3. There's no way to change the password (except requesting a new one and waiting a few days)
    4. They email you the password in plain text (to get your user id, you have to personally go to the bank)
    5. It's the only way to check all your banking transaction details (I had to sign up for the online account, to be able to validate my credit card with PayPal)
    6. There's no HTTPS access, only HTTP
    7. Their web page is completely unintuitive, it's extremely difficult to figure out where you are and what you can do from there (there are lots of things that link to other pages, like on the page that lists your accounts, the amount of money left in each account is a link to another page that gives some details about your transactions and the account number is a link to a page that gives other details about the transactions); I still haven't figured a way to transfer money from one of my accounts to a friend's account.
    8. Their web page uses FRAMES! Yes, FRAMES!

    @curtmack said:

    That gives a sample space of... 4,112,784,000 passwords. That is not a good number.

    Do you think 9,000 passwords is safe? Is that a good number?



  • @rohypnol said:

    For any given user, there are 9,000 password combinations; yes, e

    They actually parse it to an integer and reject any passwords that start with zero?

    What would be really fun is if they treat leading-zero passwords as octal.



  • @rohypnol said:

    You're complaining about this? HAH! My bank gives (random?) user ids made of 8 digits and passwords made of 4 digits. Here are the WTFs of their login system:

    (8 points listed)

    That's pretty WTFy. But TRWTF is that you haven't changed banks.



  • @Paddles said:

    @rohypnol said:

    You're complaining about this? HAH! My bank gives (random?) user ids made of 8 digits and passwords made of 4 digits. Here are the WTFs of their login system:

    (8 points listed)

    That's pretty WTFy. But TRWTF is that you haven't changed banks.
     

    I am going to, sometime in March this year.



  • I believe the number of possible passwords is given by calculating the number of possible passwords if matches could not happen (i.e. you could tell one 'a' from another 'a'), minue the number of possible passwords with at least one pair of characters, plus the number of passwords with at least two pairs of characters (you would have subtracted these off twice for having two different pairs) minus the number of possible passwords with three pairs (which you would have subracted them off 3 times for having one pair, added them back on 3 times for having two pairs, so now you need to remove them one time)

     If duplicates are not possible:

        720 * 26**4 * 10**2 -                         32902272000

     If there is at least one duplicate pair:      2910585600

       1 pair l = 360 * 26**2 * 26 * 100 -         632736000

       1 pair L = 360 * 26**2 * 26 * 100 -        632736000

       1 pair D =  3602* 26**4 *      10  +       1645113600

     If there are at least two pairs:                    75441600

        2 pair lL = 180 * 26 * 26 *    100 +          12168000

       2 pair LD = 180 * 26 * 26**2 * 10  +        31636800

        2 pair lD = 180 * 26 * 26**2 * 10    -       31636800

     three pairs:       90 * 26 * 26 * 10                  608400

      Final result: 32902272000 - 2910585600 + 75441600 - 608400 = 30,066,519,600



  • @PSWorx said:

    I like those "at least"s there too.
    What if you use Roman Numerals?



  • @snoofle said:

    @PSWorx said:

    I like those "at least"s there too.
    What if you use Roman Numerals?

     

    CXXiii? That's the same combination I have on my luggage!  (I know, I know...)



  •  I don't know about your bank but mine locks me out if I make three wrong guesses. Then I need to call customer service on the phone, and identify myself before they unlock it.

    That may not be alot of password combinations in your mind, but I guess they would get suspicous after 900 million phone calls (depending on which numbers are accurate).Brute force that one. If you have enough information to identify yourself as me, I am already screwed, as you could simply reset my password at will.

     

    Though it does create an interesting DOS attack, to lock out all of a banks customers from their accounts. Though I bet they have controls in place to filter out excessive traffic from a offending IP address.



  •  @curtmack said:

    The current password limitations for my bank's online banking are as follows:

    1. Your password must contain exactly 6 characters.
    2. Your password must contain at least 2 lowercase letters, at least 2 uppercase letters, and at least 2 numerals.

    That gives a sample space of... 4,112,784,000 passwords. That is not a good number.

    Contact your bank and let them know that this is poorly configured.  I'm pretty sure that the "exactly 6 characters" is supposed to be "at least 6 characters" but falls back to exactly if they fail to set a maximum.

    If not, ask your bank to get in touch with the company that wrote their on-line banking and talk to tech support.



  • @Suutar said:

     There's not 720 permutations, there's 90.

    Start with L1L2U1U2N1N2, where we can distinguish between the two members of each class. Then there's indeed 720 permutations. But since the two members of each class are really interchangeable, there's actually 1/8 as many, or 90.

    Okay, so just to be clear.

    abAB12

    There are only ninety possible ways to rearrange that?

    Because it looks to me like "aA1bB2" would be perfectly valid, which implies that 720 permutations are possible.



  •  (26^4)*10*10 = 45697600

    45697600 /2 /2 /2/2 =2856100

    2856100*6 = 17136600

     There's your answer



  • @CDarklock said:

    @Suutar said:

     There's not 720 permutations, there's 90.

    Start with L1L2U1U2N1N2, where we can distinguish between the two members of each class. Then there's indeed 720 permutations. But since the two members of each class are really interchangeable, there's actually 1/8 as many, or 90.

    Okay, so just to be clear.

    abAB12

    There are only ninety possible ways to rearrange that?

    Because it looks to me like "aA1bB2" would be perfectly valid, which implies that 720 permutations are possible.

     

    How exactly does your example imply anything at all?

    Yes, there are 720 possible permutations of "abAB12", but the majority of those permutations have already been counted.

    Look, simplify it even further to just two uppercase letters.  According to your original formula, there are 676 (26*26) possible terms.  There are also two permutations of each, i.e. "AB" can be rearranged as "BA".  But "BA" was already one of your original 676, so you don't multiply by two.

    When you take the calculation 26^4 * 100, you've already accounted for all possible permutations in each class.  You only care about the number of permutations of the classes themselves, i.e. how many ways can "UULLNN" be rearranged.  To get that, you take the total number of permutations (720) and divide by the number of identical ones (2 for each U/L/N, or 2^3 = 8).  That gives 90.

    I thought they taught this stuff in high school.



  • @CDarklock said:

    @curtmack said:

    That gives a sample space of... 4,112,784,000 passwords. That is not a good number.

    It's not correct, either.

    26 lowercase letters * 26 lowercase letters = 676 pairs of lowercase letters.

    26 uppercase letters * 26 uppercase letters = 676 pairs of uppercase letters.

    10 numerals * 10 numerals = 100 pairs of numerals.

    6! permutations of the above = 720.

    676 * 676 * 720 * 100 = 32,902,272,000.

    Your math was probably a little different:

    26 lowercase letters * 25 OTHER lowercase letters = 650 pairs of lowercase letters.

    26 uppercase letters * 25 OTHER uppercase letters = 650 pairs of uppercase letters.

    10 numerals * 9 OTHER numerals = 90 pairs of numerals.

    6! permutations of the above = 720.

    650 * 650 * 720 * 90 = 27,378,000,000.

    Wait, that's still a lot more than what you got. WTF did you do?



    There are three pairs of repetitions, so you have to divide by 8.


  • @curtmack said:

    There are three pairs of repetitions, so you have to divide by 8.

    I still don't believe this is accurate, but I can't explain why, and I'm bad at this stuff. So I'll take your word for it.



  • @CDarklock said:

    I still don't believe this is accurate, but I can't explain why, and I'm bad at this stuff. So I'll take your word for it.

     

    Wasn't it already explained?

    Think of something where you already know the result set - a binary byte.  You have 8 binary digits, either 0 or 1.  You can have exactly 256 possible values.

    If you didn't know how many possible values you could have, how would you figure it out?  It's 2^8, which is 256.  By your logic, you should also have to multiply by 8! permutations, which would mean that a binary byte has 10321920 possible values.  That's obviously wrong.

    There are 8! possible permutations of the digits; however, there are also 8! ways to rearrange each permutation such that the result is exactly the same.  Therefore the number of distinct permutations is 256 * (8! / 8!), which is just 256.  You know that this is the right answer, and if you don't, you need to get out of the technology business right now.

    When you divide the word into character classes, you lower the number of identical rearrangements.  For each class, there are only 2! (or exactly 2) ways to rearrange the tokens in each class.  The number of distinct permutations is 45697600 * (6! / 2! / 2! / 2!) = 45697600 * 90 = 4112784000.

    If you still can't work it out, may I suggest a less challenging profession, say, marketing?



  •  Let us look at a small example, suppose you can have two upper and two lower case. We'll choose AB and cd. You know there are 24 permutations:

    ABcd ABdc AcBd AcdB AdBc AdcB

    BAcd BAdc BcAd BcdA BdAc BdcA

    cABd cAdB cBAd cBdA cdAB cdBA

    dABc dAcB dBAc dBcA dcAB dcBA

    You've already agreed that there are 26*26 ways to choose the upper chars? So BA is a different selection of that 26*26. But what are the 24 permutations of BA and cd? What about BA and dc? And AB dc? Yes thats right it gives you the same set of 24 permuatations as above. So that was 4 sets of permutations that are identical. So in this limited sample you divide the final number by 4. If you add in 2 more characters then you'll need to divide the final number by 2*4 or 8.



  • @Aaron said:

    If you still can't work it out, may I suggest a less challenging profession, say, marketing?

    Hey, I said I was bad at this stuff. But when you come down to it, who cares how many possible passwords there are, anyway? If it's cryptographically significant, someone like me - who is more concerned with translating business rules into software systems - would defer to the judgment of a cryptographic expert.

    Who is probably really bad at translating business rules into software systems. But that's okay, because he can worry about the cryptographic stuff, and I can worry about the rule translation... and we end up with good software. Neither of us could have done it alone, but that's irrelevant, because we didn't have to.



  •  A classic joke from the internets.

     

    CORPORATE DIRECTIVE NUMBER 88-570471

    In order to increase the security of all company computing facilities,
    and to avoid the possibility of unauthorized use of these facilities,
    new rules are being put into effect concerning the selection of
    passwords. All users of computing facilities are instructed to change
    their passwords to conform to these rules immediately.

    RULES FOR THE SELECTION OF PASSWORDS:

    1. A password must be at least six characters long, and must not
    contain two occurrences of a character in a row, or a sequence of two or
    more characters from the alphabet in forward or reverse order. Example:
    HGQQXP is an invalid password. GFEDCB is an invalid password.

    2. A password may not contain two or more letters in the same position
    as any previous password. Example: If a previous password was GKPWTZ,
    then NRPWHS would be invalid because PW occurs in the same position in
    both passwords.

    3. A password may not contain the name of a month or an abbreviation
    for a month. Example: MARCHBC is an invalid password. VWMARBC is an
    invalid password.

    4. A password may not contain the numeric representation of a month.
    Therefore, a password containing any number except zero is invalid.
    Example: WKBH3LG is invalid because it contains the numeric
    representation for the month of March.

    5. A password may not contain any words from any language. Thus, a
    password may not contain the letters A, or I, or sequences such as AT,
    ME, or TO because these are all words.

    6. A password may not contain sequences of two or more characters which
    are adjacent to each other on a keyboard in a horizontal, vertical, or
    diagonal direction. Example: QWERTY is an invalid password. GHNLWT is
    an invalid password because G and H are horizontally adjacent to each
    other. HUKWVM is an invalid password because H and U are diagonally
    adjacent to each other.

    7. A password may not contain the name of a person, place, or thing.
    Example: JOHNBOY is an invalid password.

    Because of the complexity of the password selection rules, there is
    actually only one password which passes all the tests. To make the
    selection of this password simpler for the user, it will be distributed
    to all supervisors. All users are instructed to obtain this password
    from his or her supervisor and begin using it immediately.

     



  •  Also, for the record, my immediate instinct was the "exactly 6 characters" was a typo, but no, it does indeed require a password of exactly 6 characters.



  • @spxza said:

     A classic joke from the internets.

     

    CORPORATE DIRECTIVE NUMBER 88-570471

    In order to increase the security of all company computing facilities,
    and to avoid the possibility of unauthorized use of these facilities,
    new rules are being put into effect concerning the selection of
    passwords. All users of computing facilities are instructed to change
    their passwords to conform to these rules immediately.

    RULES FOR THE SELECTION OF PASSWORDS:

    1. A password must be at least six characters long, and must not
    contain two occurrences of a character in a row, or a sequence of two or
    more characters from the alphabet in forward or reverse order. Example:
    HGQQXP is an invalid password. GFEDCB is an invalid password.

    2. A password may not contain two or more letters in the same position
    as any previous password. Example: If a previous password was GKPWTZ,
    then NRPWHS would be invalid because PW occurs in the same position in
    both passwords.

    3. A password may not contain the name of a month or an abbreviation
    for a month. Example: MARCHBC is an invalid password. VWMARBC is an
    invalid password.

    4. A password may not contain the numeric representation of a month.
    Therefore, a password containing any number except zero is invalid.
    Example: WKBH3LG is invalid because it contains the numeric
    representation for the month of March.

    5. A password may not contain any words from any language. Thus, a
    password may not contain the letters A, or I, or sequences such as AT,
    ME, or TO because these are all words.

    6. A password may not contain sequences of two or more characters which
    are adjacent to each other on a keyboard in a horizontal, vertical, or
    diagonal direction. Example: QWERTY is an invalid password. GHNLWT is
    an invalid password because G and H are horizontally adjacent to each
    other. HUKWVM is an invalid password because H and U are diagonally
    adjacent to each other.

    7. A password may not contain the name of a person, place, or thing.
    Example: JOHNBOY is an invalid password.

    Because of the complexity of the password selection rules, there is
    actually only one password which passes all the tests. To make the
    selection of this password simpler for the user, it will be distributed
    to all supervisors. All users are instructed to obtain this password
    from his or her supervisor and begin using it immediately.

     

    Hm... this looks so familiar ... now I remember what I've always hated about RACF.

Log in to reply