Finding passwords by random walks: How long does it take?

We compare an efficiency of a deterministic “lawnmower” and random search strategies for finding a prescribed sequence of letters (a password) of length M in which all letters are taken from the same Q-ary alphabet. We show that at best a random search takes two times longer than a “lawnmower” search.

💡 Research Summary

The paper addresses the classic problem of locating a predetermined password composed of M symbols drawn from a Q‑ary alphabet. The authors model the password space as a combinatorial set of size Q^M and compare two fundamentally different search strategies: a deterministic “lawnmower” (sequential, lexicographic) scan and a stochastic random‑walk approach.

For the deterministic method, the algorithm enumerates every possible string in a fixed order. The worst‑case number of trials equals the size of the space, Q^M, while the expected number of trials under a uniform distribution of the target is (Q^M + 1)/2. This linear scaling with the size of the space is optimal for an exhaustive search, and the method requires no additional memory or bookkeeping.

The random‑walk strategy treats the password space as a Markov chain. From any current candidate the algorithm randomly selects a neighboring state (for example, by changing a single character) with uniform probability, thereby performing an unbiased walk through the space. The authors focus on the hitting time—the expected number of steps required to encounter the specific target password for the first time—rather than the cover time (the time to visit every state). By standard coupon‑collector arguments, the hitting time for an unbiased walk is on the order of Q^M, because each step has a 1/Q^M chance of being the target. A more precise analysis yields an expectation E