I am not sure why so many smart programmers get encryption so badly wrong. But they do. The latest example is the Google ad campaign which is currently all over the London Underground:
It recommends that you pick your favourite quote, such as “To be or not to be, that is the question” and then compress it down by using just initial letters and a few obvious abbreviations like the digit 2 for “to”. That would give 2bon2btitq. Voila! There is the perfect password. It is one of a “quadrillion” possibilities. In other words it is really strong.
Except it isn’t. It would succumb to a password cracker in a few minutes. Why?
First you need to understand the thought process of the smart guy who devised this. He (or she) figured as follows. The password has 10 characters. Each character is either a lower case letter (26 possibilities) or a digit 0-9 (another 10 possibilities). So there are 36 possibilities for each character and hence 3610 possibilities for a 10 character password.
Those who have the right kind of calculator can work out what 3610 is exactly. But it is easier to note that 362 is more than 1000 – come on, you should be able to manage that one with pencil and paper, or even in your head! So 3610 is a least 10005 = 1015. Well, maybe that is not so obvious, but if you know a child with an A*-C in GCSE math, he is supposed to be able to explain it to you. Or you could try writing out 3610 in full (36 x 36 x …), then grouping the numbers in pairs, applying the inequality to each pair to get “more than 1000 x 1000 x 1000 x 1000 x 1000”, which is the result you want (if in doubt, go the other way – replace each 1000 by 10 x 10 x 10).
Finally, you need to know that a quadrillion is indeed 1015.
But there are some snags about this. 2 is an obvious text-speak abbreviation, so is 8 (=ate, or gr8=great, l8=late etc) , but after that it gets harder, in fact you probably need a quotation which actually uses the number, eg “three witches” which could then become 3w. But what about a string of 5 digits? Anyone know any poems using 31982 witches, or 31982 anything elses?
However, that is a mere bagatelle. The real problem is that the English language simply does not have a quadrillion poems. So even it we stick to ordinary letters, most of those 10 letter combinations do not correspond to the first line, or indeed any line, of any known poem, however obscure.
In fact, if you put a thousand people in a room, how many first lines do you think they could recite between them? Not that many unfortunately. Few people know more than a dozen poems. Almost no one knows more than a thousand. Moreover, most people tend to know the same ones – the kind that find themselves in the Oxford Book of English Verse, or Palgrave’s Treasury, or some other well-known anthology. So most people who can remember one or more first lines will be picking from a set of less than ten thousand first lines. In other words, far from being one of a quadrillion possibilities, your wonderful password will be one of less than ten thousand. That means it is easy to crack – by the so-called “brute force attack”. The hacker just puts all ten thousand possibilities in a database and gets a piece of software to try them at high speed one after another.
In fact, it is far, far worse than that, because, sadly, many readers will be even sillier than Google, they will not know any first lines, but the one in the Google ad will sound vaguely familiar, so they will use that one – after all, it must be safe, Google recommends it.
Oh, one final point. The iPhone photo I took at the the start of this article is awful. That is partly because I held the camera at the wrong angle, but mainly because I moved the camera when I touched the shutter release. That is almost impossible not to do because it is a soft button on the main screen. Of course, checking as I write this, I discover that there is an alternative. You can also press the increase volume button which is on the edge of the iPhone. That is much better, because then you are pressing against other parts of your hand on the opposite edge of the camera. But it is still far from ideal, because the notorious iPhone 4 antenna problem forced me to put a £10 plastic cover around the edge
That covers the volume buttons with plastic covers which makes them much harder to press, so I suspect I will still get camera shake. I suppose I should train myself to use the on-screen button but to touch it ever so lightly …