Validation Reference Length
Validation Reference Length
If, for example, our VR simply consisted of a single uppercase letter then you'd only have to try out 26 possibilities before you'd be bound to find a match. That would take, even a novice, only a few minutes.
However, if we make it 2 letters, you'd have to try up to 26x26 (=676) variations before you could guarantee finding a match. Thats going to take you a week or two unless you write a small computer program to do it for you, in which case it will be done in a fraction of second.
At 5 letters, your computer program has to make nearly 12 million attempts before a guaranteed match. Actually, its a little bit easier than that. On average, you'd find a match about half way through the search, so a mere 6 million hash values will normally have to be created before you match just 5 randomly selected uppercase letters. That will take a good PC about an hour. The world's fast computers could do it in about a tenth of a second.
For every letter we add on, the calculation time will multiply by 26. So at 6 letters, the worlds fastest computer could find a match in about 2.6 seconds. 7 letters will take it a little over a minute. 8 takes half an hour.9 requires 13 hours. 10 needs a little over 2 weeks. 11 has the machine grinding away for a year. 12 characters requires 26 years
Now, you might think we'd feel reasonably secure at this point. It would, after all be much friendlier to use VRs only 15 characters long (including the 3 check digits).
However, to reduce the security risks of valid VRs being stolen from the manufacturer, once the VRs have been printed on labels (or whatever), we discard as much of the VR as we can, leaving only enough to ensure that we still have a unique reference when a consumer contacts us to register their purchase or to query something in relation to the product. (dealt with in more detail here)
If what we leave behind is only 6 or 7 characters long, (which might be enough for the uniqueness requirement), the potential hacker, if he has access to the worlds fastest computer, and has access to the half of the VR we've kept, can find a hash match for the whole VR in about a minute.
We'd prefer that to be nearer the 26 years. So we actually use no less than 20 randomly selected characters, plus their 5 check digits, to create the VRs. We also allow the digits 1 to 9 (so wherever we refer to multiplying by 26 above, make it 35), Thus, when we throw away the last 15 characters (12 random, 3 check digits), the hacker's task is still at least a task requiring a few decades of computing - to find just ONE valid VR.
Which is why our VRs are 25 characters long and why we only store the hash values of the VRs on the Authentication Database.