Explaining Password Strength at a Grade 10 Math Level

Throughout primary and secondary school, one of my biggest challenges in math class was finding situations where the stuff I was learning was actually applicable or relevant to ‘real life’. One of my strongest memories from high school math was when a test had me use factorials to calculate the chance of any one person winning the Lotto 6/49 in Ontario. 

This relatively straightforward problem cemented factorial math in my mind, and it also ensured that I would never feel the need to buy a lottery ticket ever again1. The beauty of the problem is it allowed me to use a mathematical concept to explore something familiar, and perhaps learn something new about the world in the process (it succeeded). 

Perhaps the most relevant use of applied mathematics in the world today is in cryptography and data security, where almost every aspect of the field is driven by advanced mathematical concepts. The field is also receiving extensive attention in recent years, with the Snowden leaks revealing widespread government surveillance activity, and even the 2016 court case between Apple and the U.S Department of Justice regarding locked iPhones. 

In a 2015 interview with John Oliver, Edward Snowden noted that 8-character passwords can be cracked in less than a second (true), and that the best types of passwords are ‘pass phrases’ that are long, but easily memorable (like margaretthatcheris100%SEXY, which is 26 characters long and totally unforgettable). Why might this the case? 

Luckily, in the Ontario math curriculum, students start learning about exponents in high school, and it turns out that password security can be explained (at a high level at least) through the use of exponents. 

Passwords are just permutations of a given set of characters;

• The lowercase English alphabet has 26 possible characters;
• The English alphabet with lowercase and uppercase letters has 52 characters;
• If you add in numbers, that total increases to 62 characters;
• With special symbols like punctuation and spaces, that gives you 95 possible characters.

If you take a character set of size n, and create a password L characters long, your password has n * n * n * … or nL possible variations. Since most online services only allow you to use English letters, numbers, punctuation, and spaces, n is maximized at 95. The only way to increase your password’s strength against automated guessing attempts (known as “brute force” attacks) is to increase L. 

Powerful computers can make billions of automated guesses per second, so the length of one’s password becomes crucially important. In fact, adding just a few more characters to a password can dramatically increase the amount of time that it would take for a computer to crack it, and in many cases can make it effectively impossible to “brute force”. 

The below worksheet is intended for students operating at a Grade 9/10 level, and could serve as an interesting conversation point about mathematics and computing. They are free to use, replicate, steal, redistribute, and so on! If you do find them helpful, feel free to send me an email to share feedback.

Click to view the worksheet!

1 Simply put, factorials are a notation used to describe products of numbers. For example, 6! (or ‘six factorial’) is just 6x5x4x3x2x1. In a lottery like Lotto 6/49, six different numbers are chosen from a pool of 49 numbers, which means the odds of winning are one in (49! / 43! * 6!), or one in 13,983,816. More information is available here.