When passwords weren’t good enough, passphrases came into play as a much safer login option. But a new study is saying passphrases may not be as effective as you think.
Researchers Joseph Bonneau and Ekaterina Shutova looked at Amazon’s now out of commission PayPhrase System to see the types and effectiveness of passphrases people chose. PayPhrase was a passphrase-based login system that allowed consumers to go through the e-commerce check out line quickly. It required users set up a phrase of two words or more that would be connected to a credit card and shipping address. Entering the passphrase and a PIN would result in the purchase. Because the phrase itself related to financial information, PayPhrase did not allow people to use the same phrase. This gave Bonneau and Shutova the ability to query PayPhrase and collect a wide range of passphrases chosen naturally by humans.
“Our results suggest that users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language,” said Bonneau and Shutova in their report. “Examining the surprisingly weak distribution of phrases in natural language, we can conclude that even 4-word phrases probably provide less than 30 bits of security, which is insufficient against offline attack.
They attempted a dictionary attack against the formed database of passphrases. A dictionary attack is when a hacker takes a list of well-known words or phrases, chooses which ones are most likely to succeed, and then attempts all of them. Bonneau and Shutova formed their list by gathering various sports team names, movies titles, album titles, proper nouns, names and more using IMDB, Wikipedia, and a number of other popular websites. Using this list, they ran their own dictionary attack.
The experiment showed that people rarely chose random phrases such as “panda train sunset.” This makes the passphrase significantly more vulnerable to attack. People also tended to “prefer phrases which are either a single modified noun (“operation room”) or a single modified verb (“send immediately”), according to Bonneau in a blog post about the study.
The two do conclude that their test was limited to the 100,000 passphrases extracted from the PayPhrase system, and suggest the phrase in combination with a 4-digit PIN makes it significantly stronger. But for login tools that don’t require two forms of identification, a stronger, less natural passphrase is going to be necessary.
“We recommend further collaboration between the security and linguistics research communities to explore what is possible in multi-word passphrases,” the team stated, “In particular, user testing for longer phrases is necessary to determine the extent to which users will tend to choose passphrases with natural-language-like properties as more words are required and not resort to easier-to-remember patterns like repeated words, idioms, or well-known titles.”