Search This Blog

Thursday, June 18, 2009

IBTRM v3 Problem

Ok, this is related to my previous post:

If you had not read that, you should and think about it before reading on.

OK, there is 2 things wrong with the statement. And I do not mean the part in english, whether its 6 characters consisting ONLY of alphabets or ONLY digits. Let's just blame that on bad english and bad interpretation.

The first thing that is wrong is 6 characters. We all know that 8 characters are being recommended even on average security. Its the BANK we are talking about here. 6 is definitely too low. In fact, 8 is too low, by today's standard. For example, common rainbow tables for 8 characters are available and within 10GB. Easily downloaded and executed. That will take 5 seconds to break if the hash is available. Super computer is another way to look at it. With chips like Intel i7 (8 virtual cores), bruteforcing on the maths is not so much a big deal than it used to be. I think 8 is not really enough.

The second thing that is wrong is the restriction on repeated characters. This is the MOST critical mistake. While this seems to be a good idea to avoid combination like "111111" or "abcabc", it is a BAD idea when we come to the cryptoanalysis. Without restriction, we are talking about 10x10x10x10x10x10=1000000 combinations of digits. With the restriction, its 10x9x8x7x6x5=151200 combinations. Thats almost 85% of the space lost. Reducing the combinations space reduces the strength of the PINs / Password. Having this restriction for digits is almost reducing it to only 5 digits instead of 6. In a lame mans term, I probably only need at most 5 tries to get your password if I saw 5 of your digits, instead of 10 I normally need to.

Lets see how much worse / better it is for alphabets. Without restriction, its 26^6=308915776, with restriction its 26x25x24x23x22x21=165765600. Its not so bad, about 50% of the space lost.

For alphanumeric, it will be 36^6=2176782336 for non-restriction. If restricted, it will only be 36x35x34x33x32x31=1402410240, its slightly better, but still about 50% of the space lost.

Therefore you can see, giving such a restriction does not improve anything. In fact, it makes the PINs easier to be cracked in terms of computation.

I strongly urges MAS to rethink the way this restriction should be imposed.

No comments:

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008, All rights reserved.