Study Finds Using Grammar Undercuts Security of Long Passwords
Posted on March 22, 2013Most computer savvy people know using words that can be found in the dictionary in your password is a bad idea. Password cracking programs use dictionary words when they try to break passwords. A new study from researchers at Carnegie Mellon University has found that grammar is also a bad idea in long computer passwords. The researchers say grammar (good or bad) can provide hints to a cracking program about what the password is.
The Carnigie Mellon research tem - team led by Ashwini Rao - developed a password-cracking algorithm that took into account grammar and tested it against 1,434 passwords containing 16 or more characters. The grammar-aware cracker surpassed other password crackers when passwords had grammatical structures.
Rao said in a release, "We should not blindly rely on the number of words or characters in a password as a measure of its security."
She also says that a password based on a phrase or short sentence makes it easier for a user to remember, but the grammatical structure also dramatically narrows the possible combinations and sequences of words. Grammar follows certain patterns and patterns are something algorithms can break down. She says grammar necessitates using different parts of speech - nouns, verbs, adjectives and pronouns.
There are some tech-savvy people that like to use phrases to make passwords. This research could pour cold water on the idea as it is only a matter of time before cracking program emerge that use grammar patterns to quickly solve passwords based on phrases or sentences.Likewise, grammar, whether good or bad, necessitates using different parts of speech - nouns, verbs, adjectives, pronouns - that also can undermine security. That's because pronouns are far fewer in number than verbs, verbs fewer than adjectives and adjectives fewer than nouns. So a password composed of "pronoun-verb-adjective-noun," such as "Shehave3cats" is inherently easier to decode than "Andyhave3cats," which follows "noun-verb-adjective-noun." A password that incorporated more nouns would be even more secure.
Rao adds, "I've seen password policies that say, 'Use five words,' Well, if four of those words are pronouns, they don't add much security."