The everyday blog of Richard Bartle.

RSS feeds: v0.91; v1.0 (RDF); v2.0; Atom.

10:19am on Tuesday, 1st October, 2024:

Anecdote

Whenever I log into my university account, I'm sent a two-factor authentication code via a "user verification" service operated by Microsoft. This consists of six digits.

Here are the last 20 codes I've received:

191936 440310 707908 800661 161320 940405 123471 543113 987490 870678 389849 129773 524582 987348 523498 268559 264995 167802 858352 691768.

Seven of these have three consecutive digits that count up or down:

123471 987490 870678 543113 987348 523498 167802.

Two of the remainder have a two-digit number pair repeated:

191936 940405.

Four of the remainder have a triple with the first and third digits the same:

707908 161320 389849 858352.

Five of the remainder have one or more digits doubled:

440310 800661 129773 268559 264995.

The two that don't fit any of these categories are:

524582 691768.

Let's try this again with 20 numbers generated by a simple pseudo-random-number generator (Mulberry32):

556585 056448 466112 335155 488736 207921 735581 883008 452570 604694 430747 353811 661339 864954 350834 107551 568956 540669 711693 937602.

None of them have three consecutive digits that count up or down.

One has a two-digit number pair repeated:

466112.

Five of the remainder have a triple with the first and third digits the same:

556585 335155 452570 430747 353811.

Eight of the remainder have one or more digits doubled:

056448 488736 735581 883008 661339 107551 540669 711693.

The six that don't fit any of these categories are:

207921 604694 864954 350834 568956 937602.

From this exercise, I conclude that the numbers despatched by Microsoft's user verification service have been biased so as to be easy to remember, in order that people can hold them in their heads between reading them on their phone and typing them into their browser.

As a quick check, there are a million possible six-digit numbers and 16 sequences of three-digit numbers going either up or down. If a sequence starts at the first digit of the six, there are a thousand numbers that can follow it: therefore, there are 16,000 sequences that start at the first of the six digits. If a sequence starts at the second digit there are a hundred numbers that can follow it but ten that can precede it, so that's still 16,000 sequences. It's a similar thing for sequences that start at digits 3 and 4, leading to an upper bound of 64,000 six-digit numbers that have a three-digit sequence that ascends or descends. The reason it's an upper bound is that some of the numbers are counted twice (123456 would be counted four times, for example). The actual count of six-digit numbers having at least one sequence of three digits that are consecutive integers going either up or down is 59,262 (I wrote a program).

So 59262/100000, or just under 6% of all six-digit numbers meet the criteria. The chance of getting 7 of these out of 20 involves some nasty messing about with factorials, but according to ChatGPT it's just under 0.009%. The chance of getting 20 numbers that contain no such sequences is easier to calculate, and is just under 30%.

Yeah, Microsoft is definitely fixing those numbers.

Latest entries.

Archived entries.

About this blog.

Copyright © 2024 Richard Bartle (richard@mud.co.uk).