Passwords: Two 50-characters vs one 100-characters

Question

In this Information Security question, we discuss whether or not a $100$ character secret randomly-generated username is equivalent to a $50$ character secret randomly-generated username plus a $50$ character secret randomly-generated password.

This answer [now deleted] claims that there is a mathematical difference.

It claims:

If we assume that the user id can be kept private and is choosen randomly, it would allow for more combinations. If we make an example with a base of $62$ possible characters to choose from $(a..z, A..Z, 0-1)$, we get:

$62^{100} = 10^{179}$ combinations [versus] $62^{50} + 62^{50} = 80^{89}$ combinations

Is this correct?

It seems erroneous to me; requiring two $50$ character items would be the same number of combinations as requiring one $100$ character item. If I'm mistaken, can you help me understand my error?

Answer 1

You are correct, they are equivalent. The answer you quote adds $62^{50}$ and $62^{50}$ instead of multiplying these numbers together.

One hundred characters is one hundred characters. If it helps, think about what happens with smaller number of characters. (Take an extreme example, like only allowing the letters "a", "b", and "c" in the username and password, and comparing the number of one character usernames with one character passwords to the number of two character usernames.)

How would you write down a hundred character username? You'd write down a hundred characters. How would you write down a fifty character username together with a fifty character password? You'd write down a hundred characters. If you came accross a hundred characters somewhere, how would you know which process was used to create the string? You can translate any string of one hundred characters into either a username/password pair, or into just a username, and this translation is a bijection in each case.

Answer 2

Is this correct?

No. This is wrong: $62^{50} + 62^{50}$

There are $62^{50}$ possible user names, and for each one, there are $62^{50}$ possible passwords. Therefore, all together, there are $62^{50} \cdot 62^{50} = 62^{100}$ combinations.

Answer 3

The answer that you are referring to is incorrect, the total number of combinations will be $62^{50}\cdot 62^{50}=62^{100}$

Answer 4

It depends on how they're verified.

If you provide both username and password, and the computer tells you "yes" or "no", then there are $62^{100}$ possible combinations: each of the $62^{50}$ possible usernames can be paired with each of the $62^{50}$ possible passwords to get $62^{50} * 62^{50} = 62^{100}$ possible username/password combinations.

If, on the other hand, you can independently check the username and password (for example, if the computer checks the username before checking the password), $62^{50} + 62^{50}$ is correct. You need $62^{50}$ guesses to figure out a valid username, and then $62^{50}$ more guesses to figure out the password.

Answer 5

In the context of services which allow online registration (the vast majority of existing websites), there is indeed a difference. It's trivial to check the validity of the username alone by simply trying to register a new user with that name. For valid usernames, the site will have no option but to report that the name is already taken.

In case of a brute-force attack (trying every possible combination) guessing a valid username then a valid passowrd leads to the $62^{50} + 62^{50}$ result cited in the answer.