*The Numerics of
Screen Names and Passwords*

By Fafalone

**A lot of talk on AOL is about
‘owning’ screen names. There are people trying to ‘own’ every 3 character
screen name. There is no attempt here to get through to newbies; this is merely
an essay for intelligent people who also mock the quixotic idea of ‘brute
forcing’ a screen name. This essay will discuss briefly just how many screen
names there are, and then go in depth about just how hard it would really be to
crack a screen name with a completely random password without an exploit.**

** When America
Online first came out, subscribers could make screen names 3-10 characters in
length, with that and no leading numbers being the only restrictions[1].
So, when America Online was first out, let’s figure[2]
out just how many original screen names there were, with 36 possible characters
(a-z, 0-9- screen names are not case sensitive).**

** **

** **10

å 36^x =
3,760,620,109,777,728- or about 3.8 **quadrillion**.

n=3

**From that, we need to
compensate for the fact you cannot create screen names that start with a
number. To accomplish this, we need to take the number of possible 2-9
character screen names, multiply by 10 (0-9), and subtract it from that. We use
2-9, because there is 1 leading character for each, and there needs to be at
least 2 more characters to satisfy the length requirement.**

10 9

å 36^x - å 36^x * 10
= 2,716,003,412,617,248- or 2.7 quadrillion.

n=3 n=2

**This number
represents the real number of screen names that could originally be made. **

**Now, AOL
has changed the maximum length to 16, so we can adjust for this.**

16 15

å 36^x - å 36^x * 10
= 5,910,148,253,103,040,656,975,904

n=3 n=2

** **

**That’s 5.9
octillion possible screen names as of now.**

** **

**With the
same method, we can figure out how many of the coveted 3 character screen names
can be made.**

** **

3 2

å 36^x - å 36^x * 10
= 45,360

n=3 n=2

**These are
the screen names most of the cretins out there are trying to crack. And this
leads into the main point of this, the passwords possible.**

** **

** In the very first calculation we
made, it’s likely most people were completely shocked by that huge number. A
quadrillion is a number beyond a trillion, and just thinking about a trillion
of anything can give you a headache. The numbers above are quite small next to
the number of passwords there are. **

** **

**First,
let’s talk about AOL passwords. AOL passwords must be 4-8 characters in length,
are not case sensitive, and allow a-z and 0-9, with no other limitations.**

** **

10

å 36^x =
3,760,620,109,731,072

n=4

**This represents the number of passwords possible on
an AOL screen name, not an AIM screen name. If you wanted to brute force just
an AOL, it would take a horrendous amount of time. We’ll assume you have a fast
computer and internet connection… which will let you crack AOL screen names at
a rate of 100 tries per second.**

**3,760,620,109,731,072 divided by 100 tries per
second = 1,195,760.87128 YEARS, 119
MILLENNIA. **

**As huge as this number is, it’s nothing if you’re
talking about brute forcing an AIM password. With AIM, you have 4-16 character
case sensitive passwords. The vast majority of users will only use a-z, A-Z,
0-9, and space in their passwords, so let’s calculate that first. 63 characters
in a 4-16 range,**

16

å 63^x =
62,574,537,913,733,490,154,880,900,481- **62.5 octillion**.

n=4

** **

**That would
take about 19,842,255,807,247,000,000 years to crack at 100/second.**

** **

**It doesn’t
stop there. AIM allows more than just your standard alphanumerics. Most people
don’t use other characters, but some do. The standard character table
understood by AOL’s applications is 255 characters. 4-16 characters in length
with a field of 255 characters? Damn.**

** **

16

å 255^x =
320,884,951,674,586,670,638,888,924,819,449,050,625

n=4

** **

**The name
for that number is 320.88 undecillion[3].
Still cracking at 100 tries per second? 101,751,950,683,220,000,000,000,000
(101.75 septillion) millennia to crack every POSSIBLE AIM PASSWORD WITH 100
TRIES PER SECOND.**

** **

**Fortunately,
for those heathens out there still cracking passwords, a lot users don’t use
good passwords. People choosing bad passwords is the only reason cracking even
works. There are only about 114,000 words in the English language… the
vocabulary of most people is around 7,000-8,000. About 50,000 likely passwords…
considering reversals, common mixes with numbers, names, sports teams… etc. At
the rate we’ve been using, it would take far less than an hour. **

**Most screen
names that are stolen are not cracked. Very rarely are cracks actually
effective. Knowing the magnitude of the numbers presented here makes the notion
of brute forcing an screen name risible.**

**Not only
would it take longer than this planet has existed, to store a list of those
passwords would require massive amounts of data storage. We’ll use the formula
36^x*x. Each character is one byte; so multiply the number of words for the
given length by that length to get the number of bytes… as in 36^4 is
1,679,616, the number of possible 4 character passwords… 1,679,616 times 4
bytes each.**

16

å ((36^x)*x) = 130,742,935,654,335,813,385,574,400
bytes; 108.148 YB[4]^{,[5]}

n=4

**and,**

16

å ((255^x)*x) =
5,132,895,900,211,990,719,707,896,462,761,718,346,250

n=4

** **

**5.133
duodecillion bytes… 4,245,831,974,908,300 YB.**

** **

**To
summarize this entire essay, it is quite impossible to brute force the password
word to someone else’s screen name. Hopefully, if you still try to crack screen
names, you’ll grow out of it, or for God’s sake at least rely on Trojans and
exploits rather than any kind of cracking. **

** **

** **

** **

**This work is Copyright ©2001 Fafalonian Productions. No portion
of this work may be reproduced in part or in whole without explicit permission
from the author. All names are the property of their respective owners. **

[1] Other limitations, such as censored words and restricted prefixes, shall not be discussed due to their availability via internal accounts. They are not considered ‘real’ restrictions.

[2] I am not going to explain the math behind this. You should be familiar with powers and Sigma notation. These are basic Algebra 1 concepts.

[3] At this point, it becomes necessary to understand large number nomenclature. After a trillion, there is quadrillion, quintillion, sextillion, septillion, octillion, nonillion, decillion, undecillion, duodecillion… that’s the highest name we deal with here, but after that it goes on to tredecillion and even further. Also to note, this essay is written with the American number system. The UK has different names for numbers after a million.

[4] YB is a Yottabyte. Kilobyte, megabyte, gigabyte, terabyte, petabyte, exabyte, zettabyte, yottabyte. 4 exabytes could hold everything ever written and said by man. The largest storage systems currently existing are around 5PB. Yottabyte is the largest named unit.

[5] This essay uses the correct 1,024 for conversions. There are 1,024 bytes in a kilobyte. This is correct because the binary system is based on powers of 2; shifts at 10… and 2^10 = 1024.