You’ve had grammar drilled into your head since elementary school, but when it comes to creating passwords, researchers are now saying to forget everything you’ve learned.
Institute of Software Research Ph.D student Ashwini Rao and her team discovered that using proper grammar in your password actually weakens their security. That is, grammar is easier to predict and leads us to use pronouns, adverbs, and adjectives, which are easier for password crackers to solve. Rao’s team ran a homemade password cracker — or a piece of software that attempts to guess your password — that was outfitted with grammar knowledge. According to a statement released by Rao’s team, the cracker beat out “state-of-the-art password crackers,” solving 10 percent of the 1,434 passwords they fed it.
Passphrases are the in vogue password of choice nowadays, which may lead people to start using sentences as their “phrases.” For instance, you might use “iambetterthansheis.” Rao says that pronouns are significantly easier to crack than nouns simply because there are far fewer of them. “Meghanpuzzleasstown” is likely to be much more difficult to crack.
“I’ve seen password policies that say, ‘Use five words,’” Rao said in a statement. “Well, if four of those words are pronouns, they don’t add much security.”
Stick with passphrases that are three or four words, that are completely random. Look around the room and start picking out words. But mindful not to pick words that go together. Researchers have already determined that passphrases might be weaker than expected, just because humans tend to put words together that, well, make sense. That is, you might think baseballdiamondhorse. Sure, a horse doesn’t have much to do with baseball or diamonds, but a baseball diamond is a thing that could easily be associated.
Rao will present further findings at the Association for Computing Machinery’s Conference on Feb. 20.