Question

A hacker has programmed their computer to generate, uniformly at random, an eight-character password, with each character being either one of 26 lower-case letters (a-z), one of 26 upper-case letters (A-Z) or one of 10 integers (0-9). The hacker wants to infiltrate a website that has 2 million users. Assume, for simplicity, that each user is required to use a unique password.

What is the expected number of attempts before the hacker successfully generates a user password?

What is the standard deviation of the number of attempts before the hacker successfully generates a user password? Suppose the website used passwords of length four (instead of eight characters).

What are the expected value and standard deviation of the number of attempts before the hacker successfully generates a user password?

Comment on the security differences between eight- and four-character passwords.

Answer 1

(a)

Number of passwords the hacker can generate = (26 + 26 + 10)^8 = 62^8

Probability of generating a user password = 2000000/(62^8) = 9.16 * 10^-9

Let x = number of trials to generate a user password. Then x follows a geometric progression with p = 9.16 * 10^-9

Expected number of trials before the hacker generates a user password = 1/p = 1.092 * 10^8

Standard deviation of the number of trials before the hacker generates a user password = (√(1 – p))/p

= (√(1 – 9.16 * 10^-9))/(9.16 * 10^-9) = 1.092 * 10^8

(b)

Number of passwords the hacker can generate = (26 + 26 + 10)^4 = 62^4

Probability of generating a user password = 2000000/(62^4) = 0.13535

Let x = number of trials to generate a user password. Then x follows a geometric progression with p = 0.13535

Expected number of trials before the hacker generates a user password = 1/p = 7388168

Standard deviation of the number of trials before the hacker generates a user password = (√(1 – p))/p

= (√(1 – 0.13535))/0.13535 = 6.87

(c)

As we can see, it takes much less trials to hack a 4-character password than an 8-character password.