When Is a Combination Lock Not a Combination Lock?

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

Sometimes you think you know something and you have known it for a long time and you find out it is wrong. Sometimes it is very wrong, like when they found out the earth was not flat (Yes, I’m one of those Round Earthers). Sometimes, it is just a little wrong or technically wrong. For example, have you ever heard someone ask for a Kleenex? It may have actually been a Kleenex but was probably some other brand of facial tissue. What do you put on a cut? Points if you said a bandage. Many would say a Band-Aid. Do you play ping pong or table tennis? Common usage has made brand names generic, and for some manufactures like Xerox, Kleenex, and Band-Aid, that’s great. But what else can common use do? How about a combination lock? We know what that is and we know how it works, but did you realize that if it truly were a ‘combination’ lock it would be much less effective?

Being picky about technicalities can be useful sometimes and at other times it is just annoying. This may be either but it is leading up to some things to think about when it comes to passwords. You know, the things you love to hate. Back to the lock. Isn’t it a combination lock?

From the technical perspective, a combination is one thing, a permutation is something else. I got this reminder from this article that states “A combination is a unique subset chosen from a larger whole. A combination doesn’t care about the order of the elements you choose. That is, if you chose A and B from a set of A, B, and C, it’s the same as picking B and A.

Combination vs. Permutation

So let’s go back to the lock. Let’s say your ‘combination’ is 20-10-3-4. If the lock were truly a ‘combination’ lock, then all you need is the 4 numbers. If you dial them in, the order is not important. We know that is not true. The order is very important. So if we don’t call it a combination lock, what should we call it? The numbers in a specific sequence are a PERMUTATION. The difference is what makes 20-10-3-4, 20-3-10-4-, 3-4-10-20, and other sequences of the 4 numbers unique ‘combinations’ for a given lock. So am I campaigning for a change in terminology? No, common usage is pretty well set with this misnomer and it isn’t really important. What is important is getting the idea of the vast difference between combinations and permutations when it comes to passwords.

You may be aware that when you create an online account, the password is usually stored as a hash. A hash is a number created by a function to obfuscate a password. It is one way. In other words, you can’t use a hash function to decode passwords. However, the hash function will always give the same result with the same input. Here is an example of taking some passwords and running them through an MD5 hash function:

Password MD5 Hash
password 326dfd8dbcead13039ec5de814e5a60c
123456 babb49d63b323df8bcb61f2682d52ee3
!@33yAkQ*()}?> a8f74eda91f1493e1f927ced71c9e7d0

The hash is what the bad guys usually get when they download a password database. Since they don’t get the passwords directly, what do they do? One is called ‘brute force’. That is trying every PERMUTATION of characters until they get a match with the hash that is created by the attempt. That is incredibly tedious, but computers do tedious very well. From the same article mentioned above, the author stated that computers today use the GPU (graphics processing unit) to generate hashes because they can do them very fast. Once the hash is generated, it can be compared to the hash from the downloaded database. If it is a match, you have the password. The author quotes 6 million hashes per second as the processing rate for today’s GPUs. This video is a demonstration of cracking passwords working from downloaded hashes. Keep in mind the machine in the video is a virtual machine and not highly tuned for this work. It still managed to crack 4300+ passwords in 41 seconds! If you watch the video, you will see that many of the passwords are between three and six characters.

password length permutations
6 513,409,216,320
8 3,753,021,371,299,190
10 26,166,065,000,698,000,000
15 85,673,985,041,026,200,000,000,000,000
20 203,127,689,610,403,000,000,000,000,000,000,000,000

Long Passwords Are Much More Secure

So let’s look at the value of LONG passwords. I am not talking about 8 or 10 characters. I used the 6 million / second rate when I analyzed the table of permutations. First, how many possible passwords can you construct with 92 characters? (a-z, A-Z, 0-9, 30 special characters) The numbers get very large, very quickly as you increase the password length. While those numbers look large, keep in mind that they can be generated at the rate of 6 million per second. And remember, if your password is shorter, it can be discovered sooner. The bad guy is not trying to generate all the hashes possible, he is just trying to generate yours.

When we do the math, we find out all the permutations for a six character password can be generated in 24 hours. This is to start from scratch and generate them all. If you have a dump of common passwords, you can cut down your work considerably. These databases are readily available to the bad guys. Cracked passwords and hashes are commonly sold or even given away on the dark web. While it would take almost 20 years to generate all of the permutations for 8 characters, a dictionary attack yields depressingly easy results. One website published the top 10 passwords for 2021 and 6 of the entries were some set of the digits 1-9 (123456 being number 1). The word ‘password’ ranked fifth on the list.

Basic Rules for Secure Passwords

So, if you want to make your passwords truly useful, follow these basic rules:

  • One password for one account. DO NOT REUSE PASSWORDS.
  • Make it as long as you can
    • A length of 15 characters is pretty good for now. Future computer improvements will require longer ones.
  • Length trumps complexity but complexity doesn’t hurt.
    • A password of 20 lower case characters is harder to crack than a mix of 8 characters of different types.
  • Make these rules easy to follow by using a password manager.

And don’t forget that multifactor authentication is one more way to make your passwords even more secure.  Call Ashton Solutions at 216 397-4080 to learn more.