Breaking the password probability

Question

An account uses 8-character passwords, consisting of letters (distinguishing between lower-case and capital letters) and digits. A spy program can check about 1
million passwords per second.

a) On the average, how long will it take the spy program to guess your password?

b) What is the probability that the spy program will break your password within a week?

c) Same questions, if capital letters are not used.

Can somebody give me some ideas, please? I have no idea how to aproach this problem.

Answer 1

This sounds like homework, so rather than doing the exact calculations, I'll try to explain the underlying concepts enough to make the answers clear enough to do yourself. The answer to all of these questions depends on:

1. how many possible passwords exist
2. presumably that actual password is chosen uniformly at random from those possibilities. This is not true of passwords that actual humans choose - we are very bad random number generators - and how to make it true is a question better suited to the Security StackExchange rather than here, so I'm just going to assume it's true to get to the mathematical part.

The password is simply a (any) string of the given length and character set, e.g. the lower and uppercase letters and numbers. To calculate how many such strings there are, we can imagine choosing each character in turn and count how many choices we have.

For the first character, we can choose any lowercase (of which there are $26$) or uppercase letter (ditto) or number (of which there are $10$). This gives us $26+26+10=62$ choices. Because our password can be any string, we have the same $62$ choices for the second character, and also for the third, and so on. This means that the total number of passwords exactly 8 characters long is $62\times62\times ...=62^8 \approx2.14\times10^{14}$. You can easily generalize this logic to see that a password that is $n$ characters long, with each character independently chosen from a set of $k$ symbols, will have $k^n$ possibilities.

Given this figure, you can now approach part A knowing both a total quantity of passwords, and a rate (i.e. "quantity per time") at which passwords are checked. Pay attention to the fact that the question's asking for a time, and answering it should be straightforward.

In part B, you are given a time, which in turn means you can derive a second total quantity of passwords using the same rate as in part A, and the question then asks the relation between this quantity and one you got earlier.

The solutions to part C are identical in method, except the very first calculation of how many possible passwords there are changes because you're no longer using the same character set to generate them. The first step to solving it is to ask, "How large is the new character set?"