I was asked to set my phone password by my bank, following these rules:

1. Password must have 7 digits

2. No digits can repeat in a password

3. Consecutive digits are not allowed

Some security expert thought the best way to protect the “stupid” users from choosing easy passwords.

Was to enforce rules 2 and 3.

Lets keep in mind that without the rules 2 and 3 we had 9’999’999 possible passwords.

Rule 2 means you must pick 7 numbers out of the 9 digits without repeating any digit.

Using simple math we have

nPr = n! / (n-r)!

Were n is 9 as there are 9 digits in a phone, as r is 7 as that is the digits we must pick out.

We have: 9! / 2 = 181,440

As a result we have only 181,440 Valid passwords, this rule alone reduces the hackers guessing effort in a 98% Nicely Done!

*Rule 3, sequences of numbers are not allowed, this is the cherry on top.

NCm – ( N – m + 1 )Cm

We have: 6435 – 84 = 6351

Thats 6351 passwords we are unable to use.

181,440 – 6,351 = 175,089

It reduces even further the possibilities, this alone is not a bad rule, but since someone reduced the set most users will not be able to choose a password they can relate, so they are confined in this set, so my guess is most users ended up choosing a password based on the phone layout, as the rules above are too restrictive.

Look at the common phone digits layout:

1 2 3

4 5 6

7 8 9

0

This are my guesses on the most common passwords:

1-4-7 2-5-8-0

3-6-9 2-5-8-0

2-5-8-0 1-4-7

2-5-8-0 3-6-9

* http://www.albaiges.com/matematicas/combinatoria/combinacionesordenadas.htm