There’s an episode of Star Trek: The Next Generation where Data impersonates Captain Picard’s voice to gain command control, then locks command functions behind a very long numeric code. In practice, how strong is this as a password, and could Picard break it with a brute force attack?
The code Data gives is 52 characters long, and consists mainly of digits but with three letters given in the phonetic alphabet:
The code as appears on the screen is slightly different, consisting of 51 characters, missing the 7th character ‘3’, 23rd character ‘4’, and adding another ‘1’ before the 35th character that begins ‘888’:
It’s a fair guess that in reality, this password was generated by going around clockwise on a computer keyboard’s numpad. This would explain why there are no fives or zeroes. This creates a repeating pattern that makes it more predictable and less random, and is a great example of how human-generated passwords are weaker than true random.
If it were truly random, a 52 digital numbers-only passcode would have around 2172.74 possibilities, or the slightly lower 2169.42 for a 51-digit code. By today’s standards this is excellent: 128-bit or higher passwords are impractical to break, requiring a billion trillion trillion guesses per second to guarantee a break within a week (current best technology in 2015 is around a trillion per second).
Considering the lack of fives and zeroes, the 52-character password really only has 2156 possibilities, but Data has made the clever addition of adding three letters into the password. Thus any attempt to brute force pure digits would fail. If an attacker does not know about the missing fives and zeroes and assumes letters are considered equally likely as digits, the number of possibilities they must test is about 2267.84 - described by cryptographer Bruce Schneier as “infeasible until computers are built from something other than matter and occupy something other than space”. 1
The Enterprise’s main computer is probably comparable in power to that of the USS Voyager, which is cited as capable of 575 trillion calculations per nanosecond2. Even assuming one calculation equals one cracked password, such a computer could at best crack 2103.84 passwords per year, taking a trillion such starships to break 2143.70.
Conclusion: Data’s 52-digit code is secure.
If you picked a 52 digit password today, it will be very strong. However, the exact password 173467321476c32789777643t732v73117888732476789764376 is extremely weak, since it has appeared in a popular science fiction television series.