Skip to content

Know your keyspace!

December 6, 2011

I recently moved from Optus to Telstra for my mobile coverage in Australia because the Telstra plans have become more competitive and Optus’ network is woeful on the Central Coast.

Interestingly, when I set up my voicemail, I noticed that the PIN was six digits rather than four BUT there are some interesting restrictions. They are:

  • No repeating digits;this means that the sequence 858 is fine, but 588 is not.
  • No consecutive digits; this that 57 is fine, but 56 is not. I’m unsure whether 65 is acceptable.

This is, seemingly, an attempt to make PINs less breakable by brute force, but with my security hat on, it looked like it reduced the allowable combinations quite dramatically! So let’s take a moment to work this out. The number of combinations for a four-digit PIN is

10 · 10 · 10 · 10 = 104 = 10,000

In contrast the number of combinations for a six-digit PIN is

10 · 10 · 10 · 10 · 10 · 10 = 106 = 1,000,000

Quite an increase from two extra digits, now lets look at what happens when we just disallow repeating numbers. Every digit after the first now only has 9 combinations:

10 · 9 · 9 · 9 · 9 · 9 = 10 · 95 = 590,490.

With just this change, we almost cut the keyspace in half!

Now what happens if we disallow rising consecutive digits as well as consecutive; how many combinations do we have?

10 · 8 · 8 · 8 · 8 · 8 = 10 · 85 = 327,680

(This is slightly simplified as I’m not sure about the wrap around at either end and whether 01 and or 90 sequences are allowed, but this ends up at about the average).

It’s not looking great, is it? Let’s now disallow falling consecutive sequences as well and work out how many combinations we have now (Again, slightly simplified):

10 · 7 · 7 · 7 · 7 · 7 = 10 · 75 = 168,070

We have now lost more than 80% of the keyspace we stated with! So the rules enforced for the PIN means that an attacker has far less to attack than if the policies to improve security did not exist.

Moral of the story: Understand the side-effects of restrictions and what it does to the probabilities!

Advertisement

From → Analysis, Computers, Security, Technology

5 Comments
  1. Bruce Maxx permalink

    In the wake of the NOTW phone hacking scandal, you can see why they would implement this policy. People would more often than not use something like ’0000′ or ’1234′ which is entirely guessable by some unscrupulous reporter.

    I think the real problem is that they have your voicemail accessible via a phone which is not connected to the voicemail account by default. Why wouldn’t they make this an opt-in feature? It would kill voicemail hacking almost overnight. The people who opt-in to this service would generally be more technical savvy, and provide a stronger password in the first place.

  2. sammiq permalink

    @Bruce Maxx
    Unfortunately, common sense rarely drives these decisions. Knee jerk reactions are far too commonplace.

  3. Ape No. 1 permalink

    I am going to make my pin 168070 as it satisfies the restrictions.

  4. sammiq permalink

    @Ape No. 1

    Cool, remember not to tell anyone

Trackbacks & Pingbacks

  1. Password probability « New Dog, Old Tricks

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«
»
Follow

Get every new post delivered to your Inbox.