25

In this Information Security question, we discuss whether or not a $100$ character secret randomly-generated username is equivalent to a $50$ character secret randomly-generated username plus a $50$ character secret randomly-generated password.

This answer [now deleted] claims that there is a mathematical difference.

It claims:

If we assume that the user id can be kept private and is choosen randomly, it would allow for more combinations. If we make an example with a base of $62$ possible characters to choose from $(a..z, A..Z, 0-1)$, we get:

$62^{100} = 10^{179}$ combinations [versus] $62^{50} + 62^{50} = 80^{89}$ combinations

Is this correct?

It seems erroneous to me; requiring two $50$ character items would be the same number of combinations as requiring one $100$ character item. If I'm mistaken, can you help me understand my error?

Community
  • 1
Amazon Dies In Darkness
  • 371
  • 4
    If you think about concatenating the user id and the password you can understand why both options have the same number of combinations. – Frostic Mar 27 '18 at 19:07
  • 13
    They're equivalent in terms of number of distinct combinations, but definitely not equivalent in terms of security, because sites usually take far more precautions to protect passwords than usernames. – tparker Mar 27 '18 at 21:25
  • 2
    As other answers say, they are actually equivalent (and the answer was wrong). I'd just like to point out that two 50 character passwords, where you enter the first, and if correct enter the second, is different. There it is adding, since you just need to break 50 twice. But for the situation you described, you are not trying to break 50 twice, but break 100. – Sam OT Mar 27 '18 at 21:29
  • 12
    Usernames and passwords are bad examples for the math question being asked. Usernames are public, and passwords are hashed, which are distractions for the question as phrased. If I can "test" either one independently (find one without the other by guessing) 2x50 is much weaker than 1x100. Think of a smaller example with only a two digit number verses two single digits. The two digit number would take 50 guesses on average, but each single digit would only take 5 guesses (on avg) for a total of 10 guesses as opposed to 50. If they can't be guessed independently, then the strength is the same. – JesseM Mar 27 '18 at 22:36
  • Nit: the “80^89” should read “8x10^89”, although I’m not sure if that error was present in the original answer. – nneonneo Mar 29 '18 at 16:12
  • @JesseM depending if you are trying to compromise a particular user, it may get even worse than that since you just need a hit on username, you don't need the particular user to be a hit. So statistically you would reach a valid username quicker the more users there are. – AJ Henderson Mar 30 '18 at 13:53

5 Answers5

77

It depends on how they're verified.

If you provide both username and password, and the computer tells you "yes" or "no", then there are $62^{100}$ possible combinations: each of the $62^{50}$ possible usernames can be paired with each of the $62^{50}$ possible passwords to get $62^{50} * 62^{50} = 62^{100}$ possible username/password combinations.

If, on the other hand, you can independently check the username and password (for example, if the computer checks the username before checking the password), $62^{50} + 62^{50}$ is correct. You need $62^{50}$ guesses to figure out a valid username, and then $62^{50}$ more guesses to figure out the password.

Mark
  • 740
  • 5
    Also, if there are multiple users and guessing any username is ok, the 62^50/num_users+60^50 is also different to (62^100)/num_users – Sir Adelaide Mar 27 '18 at 23:44
  • 4
    How they are verified is an important point. For as long as I can remember (quite a lot) "best advice" has been to only say something like "that combination is wrong", and not one of "that username doesn't exist" or "invalid password_", and I hope that by now most people code login pages that way. However, the growth of "password recovery links" adds a new danger. Ideally, the response should be no different when trying to recover a real username than an invalid one, but this is not always the case. – TripeHound Mar 28 '18 at 10:05
  • Whether the computer checks the username first is not the deciding factor. The factor is whether the computer tells you the username is incorrect. If you don't know the username is valid, you can't eliminate the other $62^{100}-62^{50}$ possibilities. – cHao Mar 28 '18 at 14:54
  • 3
    @TripeHound At risk of drifting way off topic, truly hiding the existence of a username is generally a lot harder than just changing the wording of one message. See for example the answers here: https://security.stackexchange.com/questions/62661/generic-error-message-for-wrong-password-or-username-is-this-really-helpful and some of the discussion here: https://ux.stackexchange.com/questions/5291/why-is-the-common-practice-of-sign-in-error-message-always-mix-the-wrong-usernam – IMSoP Mar 28 '18 at 17:19
34

You are correct, they are equivalent. The answer you quote adds $62^{50}$ and $62^{50}$ instead of multiplying these numbers together.

One hundred characters is one hundred characters. If it helps, think about what happens with smaller number of characters. (Take an extreme example, like only allowing the letters "a", "b", and "c" in the username and password, and comparing the number of one character usernames with one character passwords to the number of two character usernames.)

How would you write down a hundred character username? You'd write down a hundred characters. How would you write down a fifty character username together with a fifty character password? You'd write down a hundred characters. If you came accross a hundred characters somewhere, how would you know which process was used to create the string? You can translate any string of one hundred characters into either a username/password pair, or into just a username, and this translation is a bijection in each case.

Dylan
  • 7,591
10

Is this correct?

No. This is wrong: $62^{50} + 62^{50}$

There are $62^{50}$ possible user names, and for each one, there are $62^{50}$ possible passwords. Therefore, all together, there are $62^{50} \cdot 62^{50} = 62^{100}$ combinations.

6

The answer that you are referring to is incorrect, the total number of combinations will be $62^{50}\cdot 62^{50}=62^{100}$

Vasili
  • 11,629
2

In the context of services which allow online registration (the vast majority of existing websites), there is indeed a difference. It's trivial to check the validity of the username alone by simply trying to register a new user with that name. For valid usernames, the site will have no option but to report that the name is already taken.

In case of a brute-force attack (trying every possible combination) guessing a valid username then a valid passowrd leads to the $62^{50} + 62^{50}$ result cited in the answer.

Dmitry Grigoryev
  • 131
  • 7