Mathematics Analysis and Approaches Internal Assessment

What are the strength of all possible passwords and how much
time will the computer take to crack all possible passwords?
Table of content:
1. Introduction…………………………………………………………… 2

2. Investigation…………………………………………………………...3

a. Brute force attack………………………………………………3

b. Dictionary attack………………………………………………..8

c. Using real-life example: Managebac ………………………..10

3. Conclusion……………………………………………………………..11

4. Evaluation…….………………………………………………………..11

5. Bibliography……..…………………………………………………….12

6. Appendix……...………………………………………………………..13

1
 1. Introduction

Every people has secrets, it’s human nature to have something to keep for

ourselves. A password is a tool to keep humans’ secrets. Many people have seen

passwords as a modern intervention, but passwords had been used since ancient

times. In ancient times, passwords are implemented by the military to securely

transmit messages and information. The Greek historian Polybius described how the

Roman legion used a passphrase system that shares many of the characteristics of

modern-day passwords to distinguish whether strangers were friends or enemies. In

the digital age that we are currently living in, passwords had become a necessity in

our lives, this has made the internet store approximately 1.2 million terabytes of

information on the internet (Appendix 1). Passwords are used for the identification of

social media accounts, mail, bank, technological gadgets, etc. Hence, creating a

strong password is crucial to protect your data on the internet. Aside from the

difficulty of remembering passwords, the most grieving aspect of passwords is that

they are easily cracked. In fact, hackers can crack any password with the right

hardware and software, it's just a matter of time. However, a strong password can

make cracking incredibly difficult and time-consuming.

Throughout my essay, a formula will be derived to find the probability of all possible

passwords to be cracked and how much time is needed to crack the passwords. The

2 cracking techniques that I will be using are brute force attacks, which is a method

that uses all the combinations of letters and numbers to break the password, and

dictionary attacks, which involve systematically entering all words in a dictionary to

crack passwords. I will also calculating the probability of cracking a Managebac

account which is wiTodely use ini every IB schools as my extention.

2
 2. Investigation

In real life, while we’re entering into a new social media or a website such as Gmail,

Instagram, Facebook, etc, they often demand certain password requirements, which

include a specific amount of letters, numbers, and special characters. These

requirements are intended to ensure our password to be as strong as possible and

to make the barrier of entry stronger. So, what determines a strong password. To

answer this question, I will use the formulas I created to calculate the strength of

passwords.

The strength of a password is inversely proportional to the probability of hackers

cracking your password. Thus, the lower the probability of cracking your password,

the stronger the password. The probability to break a password is based on 3 factors

such as the number of characters used, the length of the password, and the hacking

method.

2.1 Brute force attack

A brute force attack is a method by which hackers use random numbers，and

letters to break a password. In order to derive a formula, an example of a password

will be used. If the password is numeric and an example password “74785693” is

8
given to break. In order to break this password, the computer will have to try10

possible passwords to get the 8 numbers right. Therefore, the probability to break

1 −8
the password “74785693” for just one try is 8 =10 .
10

3
 Thereby, the formula for the strength of the password is derived:
𝐿
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 (𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑐𝑜𝑚𝑏𝑖𝑛𝑎𝑡𝑖𝑜𝑛𝑠) = 𝑁

N refers to the number of characters (fixed) and L refers to the length of the

password. For example, a numeric password will have 0~9, which has 10 characters

allowed, N = 10 whereas an alphabetic password will have a~z, which has 26

characters allowed, N = 26.

According to my research, it suggests that a computer can guess more than

100,000,000,000 passwords per second (appendix 2), which means that it takes

−11
1 × 10 . Using the same password “74785693” as above, the strength of the

password can be found by using this formula:

𝐿
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 𝑁

N = 10

L= 8

𝐿 8
The strength of the password: 𝑁 =10

The time needed for a computer to break the password can be calculated by this

formula:

𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑡ℎ𝑒 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑

8
10
𝑡 = 11 = 0.001 seconds
10

Hence, as you can see this password can be hacked by hackers in less than a

second, however, when the complexity of the password increases, the time needed

4
to hack the password will increase as well. To prove this statement, I will add

alphabetical letters and numbers into a password.

𝑁 = 26 + 26 + 10 ( 26 𝑙𝑜𝑤𝑒𝑟 𝑐𝑎𝑠𝑒 𝑎𝑙𝑝ℎ𝑎𝑏𝑒𝑡, 26 𝑢𝑝𝑝𝑒𝑟 𝑐𝑎𝑠𝑒 𝑎𝑙𝑝ℎ𝑎𝑏𝑒𝑡 𝑎𝑛𝑑 10 𝑛𝑢𝑚𝑏𝑒𝑟𝑠)

𝑁 = 62

𝐿 =8

𝐿 8 14
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 𝑁 = 62 = 218, 340, 105, 584, 896 = 2. 18 × 10

14
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑡ℎ𝑒 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 2.18 ×10
𝑡= 𝑠𝑝𝑒𝑒𝑑
= 11 = 2183. 401 (𝑠𝑒𝑐𝑜𝑛𝑑𝑠) = 36 𝑚𝑖𝑛𝑢𝑡𝑒𝑠 23 𝑠𝑒𝑐𝑜𝑛𝑑𝑠
10

The results that I calculated show that both of the passwords have the same length,

2183.401
yet the more complex password with 62 characters is 0.001
= 2183401 times

stronger than the less complex password with 10 characters, so it proves that the

more complex the password, the stronger the password.

In order to determine whether the length of a password or the complexity of a

password can give a stronger password, I will use another example in which the

password consists only of numbers but its length is 16 numbers.

𝐿
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 𝑁

N = 10

L= 16

𝐿 16
The strength of the password: 𝑁 =10

5
 16
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑡ℎ𝑒 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 10
𝑡= 𝑠𝑝𝑒𝑒𝑑
= 11 = 100000(𝑠𝑒𝑐) = 27 ℎ𝑟 46 𝑚𝑖𝑛 40 𝑠𝑒𝑐 = 1 𝑑𝑎𝑦 3 ℎ𝑟 46 𝑚𝑖𝑛
10

My results show that even though the password has numbers (N=10) only but the

100000
strength of the longer password is 2183.401
= 45.8≈ 46 times stronger than the one

that is only 8 characters long but consists of 62 characters (N=62). Hence, I can

conclude that the length of the password plays a more important role in the strength

of the password than the complexity of the password.

Observing the calculations above, it is correct to say that there is an exponential

correlation between the strength of a password and the complexity of the password.

Length of the password (in numbers) The time needed to crack the password
(s)

7 10
7

11 = 0. 0001
10

8 10
8

11 = 0. 001
10

9 10
9

11 = 0. 01
10

10 10
10

11 = 0. 1
10

11 10
11

11 = 1
10

12 10
12

11 = 10
10

13 10
13

11 = 100
10

14 10
14

11 = 1000
10

6
 15 15
10
11 = 10000
10

Figure 1: the exponential growth between the time needed to crack the password

and the length of the password

Furthermore, according to the calculation above, we can conclude that the

complexity of the password and strength of the password is directly proportional as

when the complexity of the password increases, the strength of the password

increases too.

Length of the password (in numbers) The time needed to crack the password
(s)

7 62
7

11 = 35. 2
10

8 62
8

11 = 2183. 4
10

7
 9 62
9

11 = 135370. 9
10

10 10
62
11 = 8392994. 7
10

11 11
62
11 = 520365606. 8
10

12 12
62
11 = 3226266762. 9
10

13 13
62
11 = 2000285393268. 6
10

14 14
62
11 =124017694346575
10

15 15
62
11 =7.6891E+15
10

Figure 2: the relationship between the time needed to crack the password and the

length of the password in alphabets

2.2 Dictionary attack

8
My calculations above are using the method of brute force attack to break the

password, however, sometimes people will use dictionary words or words that are

meaningful for them instead of using random numbers and characters to create their

password because dictionary words are easier to remember. Therefore, this had led

hackers around the world to create another hack system called dictionary attack

which they upload a specific dictionary into the program and test for each word until

it matches the password.

To differentiate between brute force attack and dictionary attack, I will test the

difference in cracking times between a dictionary attack and a brute-force attack on a

hypothetical password "trigonometryisfun". By using brute force attack the time

needed to crack the password is:

𝐿 17 24
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 𝑁 = 26 = 1. 1 × 10
24
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑡ℎ𝑒 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 1.1×10 13
𝑡= 𝑠𝑝𝑒𝑒𝑑
= 11 = 1. 1 × 10
10

If the same password “trigonometryisfun” is hacked using a dictionary attack

by uploading Cambridge Advanced Learner's Dictionary containing 140,000 words

into the program, the formula for the dictionary attack with remain the same with

brute force attack but the only thing that altered is N will be the total number of words

in the specific dictionary and L will be the number of words in the password. Such as

in this case the number of words in the dictionary (N) is 140,000 words and the

number of words in the password (L) “trigonometryisfun” is 3. Thereby, by using a

dictionary attack the time needed to crack the password is:

𝐿 3 15
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 𝑁 = 140, 000 = 2. 7 × 10

9
 15
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑡ℎ𝑒 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 2.7×10
𝑡= 𝑠𝑝𝑒𝑒𝑑
= 11 = 27440(𝑠𝑒𝑐)
10

13
1.1×10 8
With dictionary attacks take 27440
= 4. 1 × 10 (𝑠)times less time than using brute

force attack to break the password “trigonometryisfun”. This result shows that

passwords that contain dictionary words can be broken fastly when hackers are

using a dictionary attack.

Managebac

Managebac is online planning, assessment, and report platform for all IB schools

and students, therefore a weak password is not acceptable when creating an

account in Managebac. It has the password requirement of at least 8 characters

including upper case letters, symbol and numbers so it is worth knowing how strong

is the password required to enter Mangebac. There are 26 alphabets letters, 26

upper case alphabets letters, 10 numbers, and 40 symbols found on our laptop. The

strength of the password can be used the formula that I derived above:

𝑁 = 26 + 26 + 10 + 40 = 102

𝐿 = 8 (𝑚𝑖𝑛𝑖𝑚𝑢𝑚 𝑐ℎ𝑎𝑟𝑎𝑐𝑡𝑒𝑟𝑠)

𝐿 8 16
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 𝑁 = 102 = 1. 2 × 10

The time needed for a computer to break the password can be calculated by:
16
𝑠𝑡𝑟𝑒𝑛𝑔𝑡ℎ 𝑜𝑓 𝑡ℎ𝑒 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 1.2×10
𝑡= 𝑠𝑝𝑒𝑒𝑑
= 11 = 117165. 9(𝑠𝑒𝑐) = 1952 𝑚𝑖𝑛 45 𝑠𝑒𝑐
10

The amount of time for hackers to hack into a Managebac account need 1952

minutes and 45 seconds which is approximately 1.4 days for a minimum 8

10
characters password to crack so it is better to create a longer and more complex

password to protect and secure your information.

Evaluation:

Nevertheless, there’re still some limitations in my essay. Some technology

gadgets now use the identification of fingerprints and face to secure information from

the owner. Hence, my calculations might not be suitable in this situation. Other than

that, there’s no exact number of passwords cracked by a computer on the internet,

which will make my results may be inaccurate. So, to make my investigation closer

to reality, I could have used another real-life hacking method to justify my answer,

exploring the probability and finding out the time needed with no information given in

a password and using a hacker-used computer to break the password. These

solutions can bring my investigation more realistic.

Conclusion:

In my investigation, the strength of all possible passwords, the time is taken to

crack a password as well as how a password can be improved are determined. I

have found out that the length of a password can make a password stronger rather

than making a password to be complex. Moreover, dictionary attacks can crack

dictionary words easily, hence, it is worthy to include upper case letters, symbols,

and numbers in s password to decrease the probability of getting hacked. I can

conclude that a strong password consists of longer characters, upper and lower case

11
alphabets, symbols, and numbers. However, I believe that my investigation is useful

and important to every people living in this advanced technological century as the

password has become essential.

Bibliography:

Www-scientificamerican-com-s.webvpn.bjmu.tsg211.com. 2019. The Mathematics of (Hacking)

Passwords. [online] Available at:

<http://www-scientificamerican-com-s.webvpn.bjmu.tsg211.com/article/the-mathematics-of-hacking-pa

sswords/> [Accessed 3 December 2021].

Perry, C., 2015. The Origin of Passwords | Password Security. [online] Blog.bio-key.com. Available at:

<https://blog.bio-key.com/2015/09/14/the-origin-of-password-security> [Accessed 3 December 2021].

www.kaspersky.com. 2021. Brute Force Attack: Definition and Examples. [online] Available at:

<https://www.kaspersky.com/resource-center/definitions/brute-force-attack> [Accessed 3 December

2021].

SearchSecurity. 2021. What is a dictionary attack? - Definition from WhatIs.com. [online] Available at:

<https://www.techtarget.com/searchsecurity/definition/dictionary-attack> [Accessed 3 December

2021].

12
Appendix:

1. Starry Blog. 2021. How Big Is The Internet? Hint: Probably A Lot Bigger Than You Think.

[online] Available at: <https://starry.com/blog/inside-the-internet/how-big-is-the-internet>

[Accessed 3 December 2021].

2. The Conversation. 2021. A computer can guess more than 100,000,000,000 passwords per

second. Still think yours is secure?. [online] Available at:

<https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-

per-second-still-think-yours-is-secure-144418#:~:text=It%20achieved%20a%20rate%20faster,

process%20called%20brute%20force%20attacks.> [Accessed 3 December 2021].

3. 2021. [online] Available at:

<https://help.managebac.com/hc/en-us/articles/360019113471-Creating-Strong-Passwords-th

at-are-Easy-to-Remember> [Accessed 3 December 2021].

13