I was asked to set my phone password by my bank, following these rules:
1. Password must have 7 digits
2. No digits can repeat in a password
3. Consecutive digits are not allowed
Some security expert thought the best way to protect the “stupid” users from choosing easy passwords.
Was to enforce rules 2 and 3.
Lets keep in mind that without the rules 2 and 3 we had 9’999’999 possible passwords.
Rule 2 means you must pick 7 numbers out of the 9 digits without repeating any digit.
Using simple math we have
nPr = n! / (n-r)!
Were n is 9 as there are 9 digits in a phone, as r is 7 as that is the digits we must pick out.
We have: 9! / 2 = 181,440
As a result we have only 181,440 Valid passwords, this rule alone reduces the hackers guessing effort in a 98% Nicely Done!
*Rule 3, sequences of numbers are not allowed, this is the cherry on top.
NCm – ( N – m + 1 )Cm
We have: 6435 – 84 = 6351
Thats 6351 passwords we are unable to use.
181,440 – 6,351 = 175,089
It reduces even further the possibilities, this alone is not a bad rule, but since someone reduced the set most users will not be able to choose a password they can relate, so they are confined in this set, so my guess is most users ended up choosing a password based on the phone layout, as the rules above are too restrictive.
Look at the common phone digits layout:
1 2 3
4 5 6
7 8 9
This are my guesses on the most common passwords: