Ill-chosen password restrictions

[James Heinrich]

I just needed to sign up for a website account and encountered these password restrictions, and while I know these attempts at "secure" passwords are ill-chosen, I'm struggling with calculating how much smaller the search space is compared to an unrestricted password of the same maximum length.

• 5-8 characters
• must contain at least one of [a-zA-Z]
• must contain at least one of [0-9]
• must contain at least one of [!-/] (the range, not those 3 chars)
• must not contain any successive repeated chars (e.g. "pizza#5" is invalid)
• first character cannot be ? or !

I think that unrestricted passwords up to 8 chars (assuming 256 possible values per character) gives 1.852e+19 possibilities (correct me if I'm wrong), what is the possible number of valid passwords given the above restrictions?

[science_man_88]

Quote:

Originally Posted by James Heinrich

I just needed to sign up for a website account and encountered these password restrictions, and while I know these attempts at "secure" passwords are ill-chosen, I'm struggling with calculating how much smaller the search space is compared to an unrestricted password of the same maximum length.

• 5-8 characters
• must contain at least one of [a-zA-Z]
• must contain at least one of [0-9]
• must contain at least one of [!-/] (the range, not those 3 chars)
• must not contain any successive repeated chars (e.g. "pizza#5" is invalid)
• first character cannot be ? or !

I think that unrestricted passwords up to 8 chars (assuming 256 possible values per character) gives 1.852e+19 possibilities (correct me if I'm wrong), what is the possible number of valid passwords given the above restrictions?

from what I can tell we'd be using all 256 just not all freely. so the first number can be any of 254 characters, the second can be any of them except the first one, the third one can be any except for the second one, etc. that takes care of not starting with ? or ! and no successive repeats. start figuring from there.

[science_man_88]

here's a PARI code for a "random" password generator:

Code:

for(x=1,5,print1(Strchr(random(256))))

just plug in what you need.

[science_man_88]

Quote:

Originally Posted by science_man_88

here's a PARI code for a "random" password generator:

Code:

for(x=1,5,print1(Strchr(random(256))))

just plug in what you need.

sorry forgot to check if it was above 0.

Quote:

for(x=1,8,until(a!=0,a=random(256));print1(Strchr(a)))

[bcp19]

Quote:

Originally Posted by James Heinrich

I just needed to sign up for a website account and encountered these password restrictions, and while I know these attempts at "secure" passwords are ill-chosen, I'm struggling with calculating how much smaller the search space is compared to an unrestricted password of the same maximum length.

• 5-8 characters
• must contain at least one of [a-zA-Z]
• must contain at least one of [0-9]
• must contain at least one of [!-/] (the range, not those 3 chars)
• must not contain any successive repeated chars (e.g. "pizza#5" is invalid)
• first character cannot be ? or !

I think that unrestricted passwords up to 8 chars (assuming 256 possible values per character) gives 1.852e+19 possibilities (correct me if I'm wrong), what is the possible number of valid passwords given the above restrictions?

I come up with 109,195,756,300,800,000 assuming that you have 52 upper/lower case letters, 10 digits and 192 'other' (256*255^4*194*52*10).

Assuming ! - / referrs to the ASCII table and only uses those between them (ASCII 33 to ASCII 47) limiting your choices to 15 'other' you have only 20,037,322,905,600 (77*76^4*52*15*10)

[James Heinrich]

Quote:

Originally Posted by bcp19

Assuming ! - / referrs to the ASCII table and only uses those between them (ASCII 33 to ASCII 47) limiting your choices to 15 'other' you have only 20,037,322,905,600 (77*76^4*52*15*10)

The "special-character" requirement does require ASCII 33 to ASCII 47 (0x21-0x2F).

The problem doesn't state it, but due to limitations of the web form used for signing up, the unspecified characters can be any of 0x20-0xFF (224 values) since there is no practical way to enter low-ASCII characters into the form, even though they're not excluded by the rules.

[science_man_88]

Quote:

Originally Posted by James Heinrich

since there is no practical way to enter low-ASCII characters into the form

wow the alt key isn't practical, who would of thought ( joking I know kinda what you mean).

Code:

for(x=1,8,until(a>12,a=random(256));print1(Strchr(a)))

a alteration to make the upper 244 alts used.

[James Heinrich]

Quote:

Originally Posted by science_man_88

wow the alt key isn't practical, who would of thought ( joking I know kinda what you mean).

Not practical as in it doesn't work reliably. For example, if you enter Alt-0009 into a web form it may:
a) do nothing
b) tab to the next field
c) enter a tab character
depending on both the browser used and the coding of the page.

[science_man_88]

Quote:

Originally Posted by James Heinrich

Not practical as in it doesn't work reliably. For example, if you enter Alt-0009 into a web form it may:
a) do nothing
b) tab to the next field
c) enter a tab character
depending on both the browser used and the coding of the page.

I did say I kinda understood.

so outside of a check for the must have at least one part I have a code working for characters able to be typed outside of control characters but it'll only be able to be typed on certain keyboard types.

Code:

randompass(n)=a=Vec("~`1!2@3#4$5%6^7&8*9(0)_-+=\|]}{[PpOoIiUuYyTtRrEeWwQqAaSsDdFfGgHhJjKkLl;:'/?.>,<mMnNbBvVcCxXzZ");a=concat(Vec(a),[34]);for(x=1,n,until(b!=0,b=random(#a));if(x==1&&(b==4||b==74),until(b!=4&&b!=74,b=random(#a)));print1(a[b]))

makes a n character configuration, loads up the characters able to be typed on my keyboard layout (the messiness partly due to " causing problems). goes through until x=n checks if b!=0 ( actually caught while posting here) checks if x==1 ( if so we need to exclude ? and ! (which are in positions 4 and 74 the way I typed it in) either way it eventually prints a character for that length into the password.

[lavalamp]

Quote:

Originally Posted by James Heinrich

5-8 characters

Bahahaha, this must be for a bank.

[axn]

Quote:

Originally Posted by lavalamp

Bahahaha

Agreed. With a length range of 5-8 characters, it is moot point to argue whether other restrictions make any difference. This is the weakest link in the whole scheme.