bipin (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} bipin) wrote,@ 2008-08-03 12:58:00 |
|
password pragmatics
I like my Internet. It's a fun place to be - mine's somehow got this new-agey, citrusy feel to it. However, as one flits from link to link, flirting with blog-poets, sites detailing the lamentable tale of two girls who had just one cup between them, and other such pleasures, ever so often, one comes across the nefarious Password Nanny Sites - sites which insist on some rather entangled set of rules and conventions for their passwords. Rules that promise you unassailability with their version of the online chastity belt.
Needless to say, dissolute as you are, chastity belts annoy you.
First, because they dictate how precious your account is to you. No, I don't need an unbreakable-by-NASA password for my BlockBuster video-rental site. What are you going to do?* Break into my account and send me a scaaaaary movie? Wooo.
And second, because of the arbitrariness of the rules they foist on you. I looked the other way when they made it mandatory to include upper-case letters in my password. I pretended that it was normal when they then said it was imperative to have digits. I defended that it was only polite to provide my mother's age, the number of moles my dog had, and my views on whether Kashmir really belongs to India when they demanded it as answers to 'security questions'. But when they caught up with the new fad of forcing me to adopt special characters - the #s, the &s and the !!s - in my password, I decided that it was time for me to lift my arm parallel to the ground, face my palm vertically at them, and say 'STOP!'.
For now, I'm going to prove to you with my amazing mathematical skills, that you stupid method for 'improving security' is stupid.
Let's say your current password is a mere 8 characters long, each chosen from the set of lower-case letters, upper-case letters and digits. This means that there are 62^8 (26+26+10=62) possible combinations for potential passwords. For the non-computer-sciency of you, this means that, at worst, ScaryMovieSender will have to try 62^8 passwords until, eventually, he gets yours right. Since us manly computer-science people think that 218,340,105,584,896 is a smallish number, we introduce ways to create more possible combinations. Rumor has it that we shall continue on this quest, of decreasing the chances of someone breaking our password until the odds are about the same as that of the average software engineer's chances of fornicating before an arranged marriage.
Either way, one way to increase the number of possible combinations is to increase the number of characters you can compose your password from. Ok, let's do it then: even if you have me believe that anyone not suffering from self-inflicted epilepsy would choose '>' as one of the characters in their password, and we include all 30-something special characters to the base-set, the cardinality of the base-set increases to 92. This means that the total number of possible combinations is now at 92^8.
So, it's 92^8 vs. 62^8.
Staggering improvement, you might say. "Staggering my ass!", I would respond, and then quickly wish I hadn't said it. See, that's an increase of 92^8 / 62^8 times, which deceivingly is just a mere 24 times increase in the total number of combinations. I use the word 'mere', because in contrast, increasing the size of your password by one character increases the number of possibilities by 62 times.
That means that going from the password 'toofew' to 'toomany' is going to fetch you far more 'protection' than being forced to include special characters in your password.
So, pl3ase st0p m@k1ng m3 typ3 my p@55w0rd$ like this. Let those characters be where they truly belong - in speech bubbles of Asterix and PERL code. Instead, let me choose my passwords on my own terms: I hear 'RedshoeBlueshoePasswordu' is a good one. It's apparently got the added advantage that it's in Kannada.
For the curious among you, here's a list of my previous passwords.
* SubodhSir shamed me into retracting that statement on 8/19. He now knows the status of my car-loan, what I scored in third-grade History exams, and oh .. my social security number.
Moral of the story - never piss off a guy who knows more Windows than you know Math.
I like my Internet. It's a fun place to be - mine's somehow got this new-agey, citrusy feel to it. However, as one flits from link to link, flirting with blog-poets, sites detailing the lamentable tale of two girls who had just one cup between them, and other such pleasures, ever so often, one comes across the nefarious Password Nanny Sites - sites which insist on some rather entangled set of rules and conventions for their passwords. Rules that promise you unassailability with their version of the online chastity belt.
Needless to say, dissolute as you are, chastity belts annoy you.
First, because they dictate how precious your account is to you. No, I don't need an unbreakable-by-NASA password for my BlockBuster video-rental site. What are you going to do?* Break into my account and send me a scaaaaary movie? Wooo.
And second, because of the arbitrariness of the rules they foist on you. I looked the other way when they made it mandatory to include upper-case letters in my password. I pretended that it was normal when they then said it was imperative to have digits. I defended that it was only polite to provide my mother's age, the number of moles my dog had, and my views on whether Kashmir really belongs to India when they demanded it as answers to 'security questions'. But when they caught up with the new fad of forcing me to adopt special characters - the #s, the &s and the !!s - in my password, I decided that it was time for me to lift my arm parallel to the ground, face my palm vertically at them, and say 'STOP!'.
For now, I'm going to prove to you with my amazing mathematical skills, that you stupid method for 'improving security' is stupid.
Let's say your current password is a mere 8 characters long, each chosen from the set of lower-case letters, upper-case letters and digits. This means that there are 62^8 (26+26+10=62) possible combinations for potential passwords. For the non-computer-sciency of you, this means that, at worst, ScaryMovieSender will have to try 62^8 passwords until, eventually, he gets yours right. Since us manly computer-science people think that 218,340,105,584,896 is a smallish number, we introduce ways to create more possible combinations. Rumor has it that we shall continue on this quest, of decreasing the chances of someone breaking our password until the odds are about the same as that of the average software engineer's chances of fornicating before an arranged marriage.
Either way, one way to increase the number of possible combinations is to increase the number of characters you can compose your password from. Ok, let's do it then: even if you have me believe that anyone not suffering from self-inflicted epilepsy would choose '>' as one of the characters in their password, and we include all 30-something special characters to the base-set, the cardinality of the base-set increases to 92. This means that the total number of possible combinations is now at 92^8.
So, it's 92^8 vs. 62^8.
Staggering improvement, you might say. "Staggering my ass!", I would respond, and then quickly wish I hadn't said it. See, that's an increase of 92^8 / 62^8 times, which deceivingly is just a mere 24 times increase in the total number of combinations. I use the word 'mere', because in contrast, increasing the size of your password by one character increases the number of possibilities by 62 times.
That means that going from the password 'toofew' to 'toomany' is going to fetch you far more 'protection' than being forced to include special characters in your password.
So, pl3ase st0p m@k1ng m3 typ3 my p@55w0rd$ like this. Let those characters be where they truly belong - in speech bubbles of Asterix and PERL code. Instead, let me choose my passwords on my own terms: I hear 'RedshoeBlueshoePasswordu' is a good one. It's apparently got the added advantage that it's in Kannada.
For the curious among you, here's a list of my previous passwords.
* SubodhSir shamed me into retracting that statement on 8/19. He now knows the status of my car-loan, what I scored in third-grade History exams, and oh .. my social security number.
Moral of the story - never piss off a guy who knows more Windows than you know Math.
