Skip to content

Bank decreases security in attempt to increase password strength

Bank decreases security in attempt to increase password strength published on No Comments on Bank decreases security in attempt to increase password strength

I was asked to set my phone password by my bank, following these rules:
1. Password must have 7 digits
2. No digits can repeat in a password
3. Consecutive digits are not allowed

Some security expert thought the best way to protect the “stupid” users from choosing easy passwords.
Was to enforce rules 2 and 3.
Lets keep in mind that without the rules 2 and 3 we had 9’999’999 possible passwords.

Rule 2 means you must pick 7 numbers out of the 9 digits without repeating any digit.
Using simple math we have
nPr = n! / (n-r)!
Were n is 9 as there are 9 digits in a phone, as r is 7 as that is the digits we must pick out.
We have: 9! / 2 = 181,440
As a result we have only 181,440 Valid passwords, this rule alone reduces the hackers guessing effort in a 98% Nicely Done!

*Rule 3, sequences of numbers are not allowed, this is the cherry on top.
NCm – ( N – m + 1 )Cm
We have: 6435 – 84 = 6351
Thats 6351 passwords we are unable to use.
181,440 – 6,351 = 175,089

It reduces even further the possibilities, this alone is not a bad rule, but since someone reduced the set most users will not be able to choose a password they can relate, so they are confined in this set, so my guess is most users ended up choosing a password based on the phone layout, as the rules above are too restrictive.

Look at the common phone digits layout:
1 2 3
4 5 6
7 8 9
    0

This are my guesses on the most common passwords:
1-4-7 2-5-8-0
3-6-9 2-5-8-0
2-5-8-0 1-4-7
2-5-8-0 3-6-9

* http://www.albaiges.com/matematicas/combinatoria/combinacionesordenadas.htm