Brute force attack permutations

Question

Assuming an alphanumeric password of 8 characters the amount of permutations by my understanding would be.

26 lowercase
26 uppercase
10 digits

So if you were to do a brute force attack on this password the amount of tries on average would be (62 ^ 8) / 2

However assuming you knew that the password was at least 4 digits long and therefore excluded any attempts on the first 4 digits would the answer to the remaining permutations not be ((62 ^ 8) – (62 ^ 4)) / 2 ?

Am I missing something here or is that the correct answer?

Answer 1

Yes, you are missing something. No, that's not the correct answer :-)

Your original calculation is for a password that is exactly eight characters long, not one that is eight or less.

For a password which can be between four and eight characters, there's actually more search space than in your original calculation (not because less search space equates to more time taken, but because the original calculation was wrong).

For a password of one to eight characters, the search space is actually:

(62 ^ 1) + (62 ^ 2) + (62 ^ 3) + (62 ^ 4) +
(62 ^ 5) + (62 ^ 6) + (62 ^ 7) + (62 ^ 8)

and then you can divide that by two for the average number of checks (I won't since we're really only talking about ratios here).

Then, if you have the extra information that the password is at least four characters long, you can discount the first three terms to get:

                                 (62 ^ 4) +
(62 ^ 5) + (62 ^ 6) + (62 ^ 7) + (62 ^ 8)

Answer 2

For a password of at most 8 characters, there are 62^8 + 62^7 + 62^6 + 62^5 + 62^4 + 62^3 + 62^2 + 62 different passwords. If you know, however, that the password will be no less than 4 characters long, you may remove the last 3 terms, and get something like 62^8 + 62^7 + 62^6 + 62^5 + 62^4 different combinations.

Answer 3

I guess the right calculation for the number of combinations possible for your password will be:

(62^4) + (62^5) + (62^6) + (62^7) + (62^8)