We came across an interesting bug in our code at work. Essentially we have a user registration system which generates a password and assigns it to user when they sign up.
The password policy is that the generated password must have at least $1$ lowercase, $1$ uppercase, $1$ digit and $1$ special character (there are $21$ special characters).
The code was incorrectly randomly selecting $12$ characters from this set of:
-
$26$ lowercase
-
$26$ uppercase
-
$10$ digits
-
$21$ special characters
Obviously this code was incorrect since randomly picking $12$ characters from the set could lead you to just get $12$ lowercase characters.
I am wondering what the probability of getting a valid password of $12$ characters is if you just randomly pick $12$ characters from this set? We are curious as to how many times this system which has been live for years has failed to generate valid passwords and thus failed user registration.
Best Answer
Let $p,q,r,s$ represent the probability of getting a character from one of those groups, respectively.
The probability that the password can be generated from only the first three groups, for example, is $$(p+q+r)^{12}.$$
Letting $$\begin{align} P_3 &= (p+q+r)^{12} + \cdots + (q+r+s)^{12}\\ P_2 &= (p+q)^{12} + \cdots + (r+s)^{12}\\ P_1 &= p^{12} + q^{12} + r^{12} + s^{12} \end{align}$$ and using the principle of inclusion-exclusion, the probability that the password is invalid is $$P_3 - P_2 + P_1 \approx 0.26,$$ so the probability of a valid password is about $0.74$. "Most of the time" should be pretty secure, right?