Ill-chosen password restrictions
 

I just needed to sign up for a website account and encountered these password restrictions, and while I know these attempts at "secure" passwords are ill-chosen, I'm struggling with calculating how much smaller the search space is compared to an unrestricted password of the same maximum length.[list][*]5-8 characters[*]must contain at least one of [a-zA-Z][*]must contain at least one of [0-9][*]must contain at least one of [!-/] (the range, not those 3 chars)[*]must [i]not[/i] contain any successive repeated chars (e.g. "pizza#5" is invalid)[*]first character cannot be [color=red]?[/color] or [color=red]![/color][/list]I think that unrestricted passwords up to 8 chars (assuming 256 possible values per character) gives 1.852e+19 possibilities (correct me if I'm wrong), what is the possible number of valid passwords given the above restrictions?

[QUOTE=James Heinrich;278141]I just needed to sign up for a website account and encountered these password restrictions, and while I know these attempts at "secure" passwords are ill-chosen, I'm struggling with calculating how much smaller the search space is compared to an unrestricted password of the same maximum length.[list][*]5-8 characters[*]must contain at least one of [a-zA-Z][*]must contain at least one of [0-9][*]must contain at least one of [!-/] (the range, not those 3 chars)[*]must [i]not[/i] contain any successive repeated chars (e.g. "pizza#5" is invalid)[*]first character cannot be [color=red]?[/color] or [color=red]![/color][/list]I think that unrestricted passwords up to 8 chars (assuming 256 possible values per character) gives 1.852e+19 possibilities (correct me if I'm wrong), what is the possible number of valid passwords given the above restrictions?[/QUOTE]

from what I can tell we'd be using all 256 just not all freely. so the first number can be any of 254 characters, the second can be any of them except the first one, the third one can be any except for the second one, etc. that takes care of not starting with ? or ! and no successive repeats. start figuring from there.

here's a PARI code for a "random" password generator:

[CODE]for(x=1,5,print1(Strchr(random(256))))[/CODE] just plug in what you need.

[QUOTE=science_man_88;278156]here's a PARI code for a "random" password generator:

[CODE]for(x=1,5,print1(Strchr(random(256))))[/CODE] just plug in what you need.[/QUOTE]

sorry forgot to check if it was above 0.

[QUOTE]for(x=1,8,until(a!=0,a=random(256));print1(Strchr(a)))[/QUOTE]

[QUOTE=James Heinrich;278141]I just needed to sign up for a website account and encountered these password restrictions, and while I know these attempts at "secure" passwords are ill-chosen, I'm struggling with calculating how much smaller the search space is compared to an unrestricted password of the same maximum length.[LIST][*]5-8 characters[*]must contain at least one of [a-zA-Z][*]must contain at least one of [0-9][*]must contain at least one of [!-/] (the range, not those 3 chars)[*]must [I]not[/I] contain any successive repeated chars (e.g. "pizza#5" is invalid)[*]first character cannot be [COLOR=red]?[/COLOR] or [COLOR=red]![/COLOR][/LIST]I think that unrestricted passwords up to 8 chars (assuming 256 possible values per character) gives 1.852e+19 possibilities (correct me if I'm wrong), what is the possible number of valid passwords given the above restrictions?[/QUOTE]

I come up with 109,195,756,300,800,000 assuming that you have 52 upper/lower case letters, 10 digits and 192 'other' (256*255^4*194*52*10).

Assuming ! - / referrs to the ASCII table and only uses those between them (ASCII 33 to ASCII 47) limiting your choices to 15 'other' you have only 20,037,322,905,600 (77*76^4*52*15*10)

[QUOTE=bcp19;278159]Assuming ! - / referrs to the ASCII table and only uses those between them (ASCII 33 to ASCII 47) limiting your choices to 15 'other' you have only 20,037,322,905,600 (77*76^4*52*15*10)[/QUOTE]The "special-character" requirement does require ASCII 33 to ASCII 47 (0x21-0x2F).

The problem doesn't state it, but due to limitations of the web form used for signing up, the unspecified characters can be any of [b]0x20[/b]-0xFF (224 values) since there is no practical way to enter low-ASCII characters into the form, even though they're not excluded by the rules.

[QUOTE=James Heinrich;278164]since there is no practical way to enter low-ASCII characters into the form[/QUOTE]

wow the alt key isn't practical, who would of thought ( joking I know kinda what you mean).

[CODE]for(x=1,8,until(a>12,a=random(256));print1(Strchr(a)))[/CODE] a alteration to make the upper 244 alts used.

[QUOTE=science_man_88;278174]wow the alt key isn't practical, who would of thought ( joking I know kinda what you mean).[/QUOTE]Not practical as in it doesn't work reliably. For example, if you enter Alt-0009 into a web form it may:
a) do nothing
b) tab to the next field
c) enter a tab character
depending on both the browser used and the coding of the page.

[QUOTE=James Heinrich;278175]Not practical as in it doesn't work reliably. For example, if you enter Alt-0009 into a web form it may:
a) do nothing
b) tab to the next field
c) enter a tab character
depending on both the browser used and the coding of the page.[/QUOTE]

I did say I kinda understood.

so outside of a check for the must have at least one part I have a code working for characters able to be typed outside of control characters but it'll only be able to be typed on certain keyboard types.

[CODE]randompass(n)=a=Vec("~`1!2@3#4$5%6^7&8*9(0)_-+=\|]}{[PpOoIiUuYyTtRrEeWwQqAaSsDdFfGgHhJjKkLl;:'/?.>,<mMnNbBvVcCxXzZ");a=concat(Vec(a),[34]);for(x=1,n,until(b!=0,b=random(#a));if(x==1&&(b==4||b==74),until(b!=4&&b!=74,b=random(#a)));print1(a[b]))[/CODE] makes a n character configuration, loads up the characters able to be typed on my keyboard layout (the messiness partly due to " causing problems). goes through until x=n checks if b!=0 ( actually caught while posting here) checks if x==1 ( if so we need to exclude ? and ! (which are in positions 4 and 74 the way I typed it in) either way it eventually prints a character for that length into the password.

[QUOTE=James Heinrich;278141]5-8 characters[/QUOTE]Bahahaha, this must be for a bank.

[QUOTE=lavalamp;278634]Bahahaha[/QUOTE]

Agreed. With a length range of 5-8 characters, it is moot point to argue whether other restrictions make any difference. This is the weakest link in the whole scheme.