The Numerics of Screen Names and Passwords

By Fafalone

 

          A lot of talk on AOL is about ‘owning’ screen names. There are people trying to ‘own’ every 3 character screen name. There is no attempt here to get through to newbies; this is merely an essay for intelligent people who also mock the quixotic idea of ‘brute forcing’ a screen name. This essay will discuss briefly just how many screen names there are, and then go in depth about just how hard it would really be to crack a screen name with a completely random password without an exploit.

            When America Online first came out, subscribers could make screen names 3-10 characters in length, with that and no leading numbers being the only restrictions[1]. So, when America Online was first out, let’s figure[2] out just how many original screen names there were, with 36 possible characters (a-z, 0-9- screen names are not case sensitive).

 

 10

å 36^x   = 3,760,620,109,777,728- or about 3.8 quadrillion.

n=3

 

From that, we need to compensate for the fact you cannot create screen names that start with a number. To accomplish this, we need to take the number of possible 2-9 character screen names, multiply by 10 (0-9), and subtract it from that. We use 2-9, because there is 1 leading character for each, and there needs to be at least 2 more characters to satisfy the length requirement.

 

  10                     9

å 36^x  -     å 36^x   * 10 = 2,716,003,412,617,248- or 2.7 quadrillion.

 n=3                  n=2

 

This number represents the real number of screen names that could originally be made.

Now, AOL has changed the maximum length to 16, so we can adjust for this.

  16                     15

å 36^x  -     å 36^x   * 10 = 5,910,148,253,103,040,656,975,904

 n=3                  n=2

 

That’s 5.9 octillion possible screen names as of now.

 

With the same method, we can figure out how many of the coveted 3 character screen names can be made.

 

  3                 2

å 36^x - å 36^x   * 10 = 45,360

n=3             n=2

 

These are the screen names most of the cretins out there are trying to crack. And this leads into the main point of this, the passwords possible.

 

            In the very first calculation we made, it’s likely most people were completely shocked by that huge number. A quadrillion is a number beyond a trillion, and just thinking about a trillion of anything can give you a headache. The numbers above are quite small next to the number of passwords there are.

 

First, let’s talk about AOL passwords. AOL passwords must be 4-8 characters in length, are not case sensitive, and allow a-z and 0-9, with no other limitations.

 

 10

å 36^x = 3,760,620,109,731,072

n=4

 

This represents the number of passwords possible on an AOL screen name, not an AIM screen name. If you wanted to brute force just an AOL, it would take a horrendous amount of time. We’ll assume you have a fast computer and internet connection… which will let you crack AOL screen names at a rate of 100 tries per second.

3,760,620,109,731,072 divided by 100 tries per second = 1,195,760.87128 YEARS, 119 MILLENNIA.

As huge as this number is, it’s nothing if you’re talking about brute forcing an AIM password. With AIM, you have 4-16 character case sensitive passwords. The vast majority of users will only use a-z, A-Z, 0-9, and space in their passwords, so let’s calculate that first. 63 characters in a 4-16 range,

 

16

å 63^x = 62,574,537,913,733,490,154,880,900,481- 62.5 octillion.

n=4

 

That would take about 19,842,255,807,247,000,000 years to crack at 100/second.

 

It doesn’t stop there. AIM allows more than just your standard alphanumerics. Most people don’t use other characters, but some do. The standard character table understood by AOL’s applications is 255 characters. 4-16 characters in length with a field of 255 characters? Damn.

 

16

å 255^x = 320,884,951,674,586,670,638,888,924,819,449,050,625

n=4

 

The name for that number is 320.88 undecillion[3]. Still cracking at 100 tries per second? 101,751,950,683,220,000,000,000,000 (101.75 septillion) millennia to crack every POSSIBLE AIM PASSWORD WITH 100 TRIES PER SECOND.

 

Fortunately, for those heathens out there still cracking passwords, a lot users don’t use good passwords. People choosing bad passwords is the only reason cracking even works. There are only about 114,000 words in the English language… the vocabulary of most people is around 7,000-8,000. About 50,000 likely passwords… considering reversals, common mixes with numbers, names, sports teams… etc. At the rate we’ve been using, it would take far less than an hour.

Most screen names that are stolen are not cracked. Very rarely are cracks actually effective. Knowing the magnitude of the numbers presented here makes the notion of brute forcing an screen name risible.

Not only would it take longer than this planet has existed, to store a list of those passwords would require massive amounts of data storage. We’ll use the formula 36^x*x. Each character is one byte; so multiply the number of words for the given length by that length to get the number of bytes… as in 36^4 is 1,679,616, the number of possible 4 character passwords… 1,679,616 times 4 bytes each.

16

å ((36^x)*x) = 130,742,935,654,335,813,385,574,400 bytes; 108.148 YB[4],[5]

n=4

and,

16

å ((255^x)*x) = 5,132,895,900,211,990,719,707,896,462,761,718,346,250

n=4

 

5.133 duodecillion bytes… 4,245,831,974,908,300 YB.

 

To summarize this entire essay, it is quite impossible to brute force the password word to someone else’s screen name. Hopefully, if you still try to crack screen names, you’ll grow out of it, or for God’s sake at least rely on Trojans and exploits rather than any kind of cracking.

 

 

 

This work is Copyright ©2001 Fafalonian Productions. No portion of this work may be reproduced in part or in whole without explicit permission from the author. All names are the property of their respective owners.



[1] Other limitations, such as censored words and restricted prefixes, shall not be discussed due to their availability via internal accounts. They are not considered ‘real’ restrictions.

[2] I am not going to explain the math behind this. You should be familiar with powers and Sigma notation. These are basic Algebra 1 concepts.

[3] At this point, it becomes necessary to understand large number nomenclature. After a trillion, there is quadrillion, quintillion, sextillion, septillion, octillion, nonillion, decillion, undecillion, duodecillion… that’s the highest name we deal with here, but after that it goes on to tredecillion and even further. Also to note, this essay is written with the American number system. The UK has different names for numbers after a million.

[4] YB is a Yottabyte. Kilobyte, megabyte, gigabyte, terabyte, petabyte, exabyte, zettabyte, yottabyte. 4 exabytes could hold everything ever written and said by man. The largest storage systems currently existing are around 5PB. Yottabyte is the largest named unit.

[5] This essay uses the correct 1,024 for conversions. There are 1,024 bytes in a kilobyte. This is correct because the binary system is based on powers of 2; shifts at 10… and 2^10 = 1024.