How mathematics help in hacking

Hacking with Mathematics

Mathematics is fun and it becomes more amazing when we integrate maths with another awesome topic i.e hacking. There may be many questions like why hackers should need knowledge of mathematics and how to use mathematics for hacking. If you ever think about this question then this post is for you.

Let’s begin !

Let us assume, a web application uses following algorithm for their password.

first_four_letters_of_alphabet_in_uppercase + year_of_birth

This seems easy to crack but think once brute-forcing this can take ages as there are 4 uppercase alphabets & 4 digits involved. So they create 2821109907456 combinations and it would take 90 years to crack the password if we try 1000 combinations per second.

Now, Who will spend 90 years to hack a singe account?

But if you have some knowledge about mathematics and some brainyou can easily hack that account with in few seconds.

Let’s Apply Mathematics in this scenario

First let focus on the algorithm. The combination is in the form:

 (4 uppercase letters)      (4 digits)
       (Group 1)            (Group 2)

The alphabets are in a group and lie before the digits which are also grouped so there’s no possibility that they can be mixed to form a combination like S2N65GE1 . So how many combinations are possible after considering that?

Lets calculate the number of combinations of 4 letters which can be formed by 10 digits i.e. 0-9 :

(10)⁴ - 1 = 9999

So there will be 9999 possible combinations. Great! Now lets calculate the same for alphabets.

(26)⁴ - 1 = 456975

And all the combinations of 9999 digit and 456975 alphabets combinations will be:

456975 * 9999 = 4569293025

And if we try 1000 combinations in 1 second we will need this much of time

4569293025 / 1000 = 4569293.025 seconds
52 days 21 hours 14 minutes and 53 seconds

Just using some brain and mathematics  We just decreased the time required from 92 years to 53 days!
The change is orgasmic but it’s still too much. What else can be done?

Here’s the catch, these are just not 4 alphabets and 4 digits, these are four alphabets & year of birth of someone.

A human can live up to 100 years which means someone born in 1642 can’t be alive and hence can’t have an account.
Time traveling is also impossible at the moment which means someone who is going to be born in 2594 can’t travel back to the time to create account.

So the combinations ranging from 0000–9999 aren’t valid. We just need the 1918–2018 range which covers humans of age 0 to 100.

So now the number of combinations and time required is:

456975 * 100 = 45697500 combinations
45697500 / 1000 = 45697.5 seconds
12 hours 41 minutes 37 seconds

We just decreased the time required from 92 years to 53 days and now to 12 hours! It’s all because of mathematics.

Now if there is slight change in algorithm we can further decrease our time. If the algorithm is like:

first_four_letters_of_first_name_in_uppercase + year_of_birth

We can decrease the time from hours to seconds. Let’s apply maths here again:

Just like all the combinations of digits weren’t valid years of birth, similarly AAAA or PZVS aren’t valid four first for letters of a name.

So what would an attacker do?

They used  Photon to scrape names from a website which was basically a directory of  names and let’s say we found 3283 unique names! Use the following command to extract the first 4 letters and filtering out the duplicates

grep -oP ”^\w{4}” custom.txt | sort | uniq | dd conv=ucase

There are 1598 entries!(say) It can be even less as there are many duplicates, for example the first four letters in the names Sanjeev & Sanjit are same.

Anyway, let’s calculate the time required now

1598 * 100 = 159800 combinations
159800 / 1000 = 159.8 seconds
2 minutes 39.8 seconds

Hmmm? Decreased time from 92 years to 2 minutes to crack a password by just using simple mathematics. Now can we further decrease the time? The answer is yes.

Let’s use some facts for that!

World has more than 50% of its population below the age of 25 and more than 65% below the age of 35.

So instead of creating combinations with age 01–100, a smart move would be to try this:

  1. 25 – 01 (reversed because young ones are not likely to have an account online)
  2. 25 – 35
  3. 36 – 100

So if we take the age statistics into account, the chance of matching the correct password in first 1598 * 25 = 39950 combinations is 50% which means we will crack half of the passwords in 39950 / 1000 = 39.95 seconds! And in the next (1598 * 10) / 1000 = 15.8 seconds , we will have %15 more passwords! So basically we will have 65% of the passwords in 55.9 seconds . We have come a really long way!

This is just a theoretical example of how we can use mathematics on hacking.

Hope you enjoy it!

Have any quires?

Comment below and let us know.

the authorABHIYAN
Abhiyan Chhetri is a cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Abhiyan is also into gaming, reading and investigative journalism.