Question

You work in the security department of a bank’s website. To access their accounts, customers of the bank must create an 8-digit password. It is your job to determine the password requirements for these accounts. Security guidelines state that for the website to be secure, the probability than an 8-digit password is guessed on one try must be less than
`(1)/(60^8)`, assuming all passwords are equally likely. Your job is to use the probability techniques you have learned in this chapter to decide what requirements a customer must meet when choosing a password, including what set of characters are allowed,

so that the website is secure according to the security guidelines.
1. How Would You Do It
a. How would you investigate the question of what password requirements you should set to meet the security guidelines? (5 points)
b. What statistical methods taught in this chapter would you use? (5 points)
2. Answering the Question
a. What password requirements would you set? What characters would be allowed? (5 points)
b. Show that the probability that a password is guessed on one try is less than
`(1)/(60^8)` , when the requirements in part (a) are used and all passwords are equally likely. (20 points)
3. Additional Security
For additional security, each customer creates a 5-digit PIN. The table shows the 10 most commonly chose 5-digit PINs. From the table, you can see that more than a third of all 5-digit PINs could be guessed by trying these 10 numbers. To discourage customers from using predictable PINs, you consider prohibiting PINs that use the same digit more than once.
a. How would this requirement affect the number of possible 5-digit PINs? (10 points)
b. Would you decide to prohibit PINs that use the same digit more than once? Explain your answer. (10 points)

Answer 1

Explanation:

1. How Would You Do It?

a. To investigate what password requirements should be set to meet the security guidelines, I would first gather information on the current password policies in use and their effectiveness. Then, I would analyze data on past security breaches and attempts to hack into accounts to identify common patterns and weaknesses in password choices. I would also research best practices for password security and consult with experts in the field to determine the most effective approaches.

b. The statistical methods that could be used to analyze password security include probability theory, combinatorics, and statistical inference. These methods can be used to calculate the probability of guessing a password, determine the number of possible password combinations, and estimate the effectiveness of different password policies.

2. Answering the Question

a. To meet the security guidelines, the password requirements should be set to ensure that there are at least 6.446 x 10^12 possible password combinations. One approach would be to require that passwords include a mix of upper and lowercase letters, numbers, and symbols, and prohibit the use of easily guessable words or phrases. For example, the password policy could require that passwords be at least 8 characters in length, contain at least one uppercase letter, one lowercase letter, one number, and one symbol, and not include any consecutive repeating characters or easily guessable patterns.

b. To show that the probability of guessing a password on one try is less than 1/608, we can use the formula:

P(guessing password on one try) = 1 / (number of possible password combinations)

Assuming the password requirements outlined in part (a), the number of possible password combinations is:

26^(8) * 10^(8) * 33^(7) = 6.634 x 10^24

Therefore, the probability of guessing a password on one try is:

1 / 6.634 x 10^24 = 1.508 x 10^-25

This probability is much less than 1/608, so the password requirements outlined in part (a) meet the security guidelines.

3. Additional Security

a. Prohibiting PINs that use the same digit more than once would reduce the number of possible 5-digit PINs. The total number of possible 5-digit PINs is 10^5, or 100,000. If we prohibit the use of the same digit more than once, the number of possible 5-digit PINs would be:

10 * 9 * 8 * 7 * 6 = 30,240

Therefore, prohibiting the use of the same digit more than once would reduce the number of possible 5-digit PINs to 30,240.

b. Yes, I would recommend prohibiting PINs that use the same digit more than once, as it would significantly reduce the likelihood of a PIN being guessed correctly. While it may inconvenience some customers, it is a small price to pay for the added security.