- Kathryn Patterson

# Beware!! Math Ahead!!!

### (Or A Proof for Password Security)

U: the set of possible passwords ||: denotes the size of a set a : the available character set n: the length of the password The formula for determining the possible set of all passwords is U = {a}n For example, if you can only use the last three letters of the alphabet for passwords, and you have a password length of 2, then

U = {x, y, z} 2 , or U = {xx, xy, xz, yy, yx, yz, zz, zx, zy}Therefore, the size of U is the number of elements in a raised by the length of the password, or

|U| = |a|nTherefore, the more elements you have in a and the longer n, the larger the size for U, or the more possibilities you have for any given password. How does this relate to password security? Most hackers use a guessing algorithm to attempt to guess a user's password. If you only use letters or numbers, you severely limit the possible password set and make the hacker's job easier. But if you use both letters and numbers, you make the hacker's job harder. Add in special characters, and the work load goes up exponentially.

For example, let's say you need to create an 8 character password.

Using only numbers, |U| = 108, or 100 million

Using only letters, |U| = 268, or over 208 billion

Using all alphanumeric characters, |U| = 368, or over 288 trillion

Using alphanumeric and special characters, |U| = 468, or so big you need to use scientific notation

I typically use a password length of 16, so even if I only use numbers there is still 1016, or 1 quadrillion possible passwords. This is why security experts want you to use long passwords with a combination of alphanumeric and special characters.