Mathematics is fun and it becomes more amazing when we integrate maths with another awesome topic i.e hacking. There may be many questions like why hackers should need knowledge of mathematics and how to use mathematics for hacking. If you ever think about this question then this post is for you.

## Let’s begin !

Let us assume, a web application uses following algorithm for their password.

**first_four_letters_of_alphabet_in_uppercase + year_of_birth**

This seems easy to crack but think once brute-forcing this can take ages as there are 4 uppercase alphabets & 4 digits involved. So they create `2821109907456`

combinations and it would take 90 years to crack the password if we try 1000 combinations per second.

Now, Who will spend 90 years to hack a singe account?

But if you have some knowledge about mathematics and some brainyou can easily hack that account with in few seconds.

**Let’s Apply Mathematics in this scenario**

First let focus on the algorithm. The combination is in the form:

([A-Z][A-Z][A-Z][A-Z])([0–9][0–9][0–9][0–9]) (4 uppercase letters) (4 digits) (Group 1) (Group 2)

The alphabets are in a group and lie before the digits which are also grouped so there’s no possibility that they can be mixed to form a combination like `S2N65GE1`

. So how many combinations are possible after considering that?

Lets calculate the number of combinations of 4 letters which can be formed by 10 digits i.e. `0-9`

:

(10)⁴ - 1 = 9999

So there will be `9999`

possible combinations. Great! Now lets calculate the same for alphabets.

(26)⁴ - 1 = 456975

And all the combinations of `9999`

digit and `456975`

alphabets combinations will be:

456975 * 9999 = 4569293025

And if we try 1000 combinations in 1 second we will need this much of time

4569293025 / 1000 = 4569293.025 seconds or 52 days 21 hours 14 minutes and 53 seconds

Just using some brain and mathematics We just decreased the time required from 92 years to 53 days!

The change is orgasmic but it’s still too much. What else can be done?

Here’s the catch, these are just not 4 alphabets and 4 digits, these are four alphabets & year of birth of someone.

A human can live up to 100 years which means someone born in 1642 can’t be alive and hence can’t have an account.

Time traveling is also impossible at the moment which means someone who is going to be born in 2594 can’t travel back to the time to create account.

So the combinations ranging from 0000–9999 aren’t valid. We just need the 1918–2018 range which covers humans of age 0 to 100.

So now the number of combinations and time required is:

456975 * 100 = 45697500 combinations

45697500 / 1000 = 45697.5 seconds or 12 hours 41 minutes 37 seconds

We just decreased the time required from 92 years to 53 days and now to 12 hours! It’s all because of mathematics.

Now if there is slight change in algorithm we can further decrease our time. If the algorithm is like:

**first_four_letters_of_first_name_in_uppercase + year_of_birth**

We can decrease the time from hours to seconds. Let’s apply maths here again:

Just like all the combinations of digits weren’t valid years of birth, similarly `AAAA`

or `PZVS`

aren’t valid four first for letters of a name.

So what would an attacker do?

They used Photon to scrape names from a website which was basically a directory of names and let’s say we found 3283 unique names! Use the following command to extract the first 4 letters and filtering out the duplicates

grep -oP ”^\w{4}” custom.txt | sort | uniq | dd conv=ucase

There are 1598 entries!(say) It can be even less as there are many duplicates, for example the first four letters in the names ** Sanjeev** &

**Sanjit**are same.

Anyway, let’s calculate the time required now

1598 * 100 = 159800 combinations

159800 / 1000 = 159.8 seconds or 2 minutes 39.8 seconds

Hmmm? Decreased time from 92 years to 2 minutes to crack a password by just using simple mathematics. Now can we further decrease the time? The answer is yes.

Let’s use some facts for that!

World has more than 50% of its population below the age of 25 and more than 65% below the age of 35.

So instead of creating combinations with age 01–100, a smart move would be to try this:

- 25 – 01 (reversed because young ones are not likely to have an account online)
- 25 – 35
- 36 – 100

So if we take the age statistics into account, the chance of matching the correct password in first `1598 * 25 = 39950 combinations`

is 50% which means we will crack half of the passwords in `39950 / 1000 = 39.95 seconds`

! And in the next `(1598 * 10) / 1000 = 15.8 seconds`

, we will have %15 more passwords! So basically we will have 65% of the passwords in `55.9 seconds`

. We have come a really long way!

This is just a theoretical example of how we can use mathematics on hacking.

Hope you enjoy it!

Have any quires?

Comment below and let us know.