28 Jan 2013

Ignore Grammar When Writing Passwords, Research Says


Long passwords with any semblance of grammar are easier to crack than short passwords without structure, according to a study by Carnegie Mellon University. Researchers found that grammar – good or bad – offers clues to hackers because it narrows the possible word combinations and sequences.

Pronouns can undermine security because they are far fewer in number than verbs, verbs fewer than adjectives and adjectives fewer than nouns. A password composed of "pronoun-verb-adjective-noun," such as "Shehave3cats" is easier to break than "Andyhave3cats," which follows "noun-verb-adjective-noun." A password with more nouns would be even more secure.

“We should not blindly rely on the number of words or characters in a password as a measure of its security,” said Ashwini Rao, a software engineering Ph.D. student in the Institute for Software Research. “I’ve seen password policies that say, 'Use five words.' Well, if four of those words are pronouns, they don’t add much security.”

Researchers also calculated that cracking a password like "Th3r3 can only b3 #1!" would take just 22 minutes, while breaking a password using the words "Hammered asinine requirements" would take more than three and a half hours.

The team developed a grammar password-cracking algorithm and tested almost 1,500 passwords with 16 or more characters.

Another recent study pointed at the weakest and scariest passwords people use. “Jesus” and “Ninja” joined older entries such as “password”, “123456” and “12345678” in the list of the scariest 2012 passwords, according to SplashData. Other newcomers in the list of unsecure passwords included “welcome,” “mustang”, and “password1.”