Bank decreases security in attempt to increase password strength
I was asked to set my phone password by my bank, following these rules:
1. Password must have 7 digits
2. No 2 digits can repeat in a password
3. Consecutive digits are not allowed
Some security expert thought the best way to protect the "stupid" users from choosing easy passwords.
Was to enforce rules 2 and 3.
Lets keep in mind that without the rules 2 and 3 we had 9'999'999 possible passwords.
Rule 2 means you must pick 7 numbers out of the 9 digits without repeating any digit.
Using simple math we have
nPr = n! / (n-r)!
Were n is 9 as there are 9 digits in a phone, as r is 7 as that is the digits we must pick out.
We have: 9! / 2 = 181,440
As a result we have only 181,440 Valid passwords.
*Rule 3, sequences of numbers are not allowed.
NCm - ( N – m + 1 )Cm
We have: 6435 - 84 = 6351
Thats 6351 passwords we are unable to use.
181,440 - 6,351 = 175,089
Now the evil hacker who wants to access your account only has 175,089 passwords to guess from.
Look at the common phone digits layout:
1 2 3
4 5 6
7 8 9
0
My guess is probably most users when unable to pick the code they wanted because it was not compliant with rules 2 and 3 picked a password based on the phone layout.
Here is my guess on the top 4 passwords.
1-4-7 3-6-9 - 0
1-4-7 3-6-9 - 5
2-5-8-0 1-4-7
2-5-8-0 3-6-9
* http://www.albaiges.com/matematicas/combinatoria/combinacionesordenadas.htm