You’ve had grammar drilled into your head since elementary school, but when it comes to creating passwords, researchers are now saying to forget everything you’ve learned.

Institute of Software Research Ph.D student Ashwini Rao and her team discovered that using proper grammar in your password actually weakens their security. That is, grammar is easier to predict and leads us to use pronouns, adverbs, and adjectives, which are easier for password crackers to solve. Rao’s team ran a homemade password cracker — or a piece of software that attempts to guess your password — that was outfitted with grammar knowledge. According to a statement released by Rao’s team, the cracker beat out “state-of-the-art password crackers,” solving 10 percent of the 1,434 passwords they fed it.

Passphrases are the in vogue password of choice nowadays, which may lead people to start using sentences as their “phrases.” For instance, you might use “iambetterthansheis.” Rao says that pronouns are significantly easier to crack than nouns simply because there are far fewer of them. “Meghanpuzzleasstown” is likely to be much more difficult to crack.

“I’ve seen password policies that say, ‘Use five words,’” Rao said in a statement. “Well, if four of those words are pronouns, they don’t add much security.”

Stick with passphrases that are three or four words, that are completely random. Look around the room and start picking out words. But mindful not to pick words that go together. Researchers have already determined that passphrases might be weaker than expected, just because humans tend to put words together that, well, make sense. That is, you might think baseballdiamondhorse. Sure, a horse doesn’t have much to do with baseball or diamonds, but a baseball diamond is a thing that could easily be associated.

Rao will present further findings at the Association for Computing Machinery’s Conference on Feb. 20.

Password image via Shutterstock

When passwords weren’t good enough, passphrases came into play as a much safer login option. But a new study is saying passphrases may not be as effective as you think.

Researchers Joseph Bonneau and Ekaterina Shutova looked at Amazon’s now out of commission PayPhrase System to see the types and effectiveness of passphrases people chose. PayPhrase was a passphrase-based login system that allowed consumers to go through the e-commerce check out line quickly. It required users set up a phrase of two words or more that would be connected to a credit card and shipping address. Entering the passphrase and a PIN would result in the purchase. Because the phrase itself related to financial information, PayPhrase did not allow people to use the same phrase. This gave Bonneau and Shutova the ability to query PayPhrase and collect a wide range of passphrases chosen naturally by humans.

“Our results suggest that users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language,” said Bonneau and Shutova in their report. “Examining the surprisingly weak distribution of phrases in natural language, we can conclude that even 4-word phrases probably provide less than 30 bits of security, which is insufficient against offline attack.

They attempted a dictionary attack against the formed database of passphrases. A dictionary attack is when a hacker takes a list of well-known words or phrases, chooses which ones are most likely to succeed, and then attempts all of them. Bonneau and Shutova formed their list by gathering various sports team names, movies titles, album titles, proper nouns, names and more using IMDB, Wikipedia, and a number of other popular websites. Using this list, they ran their own dictionary attack.

The experiment showed that people rarely chose random phrases such as “panda train sunset.” This makes the passphrase significantly more vulnerable to attack. People also tended to “prefer phrases which are either a single modified noun (“operation room”) or a single modified verb (“send immediately”), according to Bonneau in a blog post about the study.

The two do conclude that their test was limited to the 100,000 passphrases extracted from the PayPhrase system, and suggest the phrase in combination with a 4-digit PIN makes it significantly stronger. But for login tools that don’t require two forms of identification, a stronger, less natural passphrase is going to be necessary.

“We recommend further collaboration between the security and linguistics research communities to explore what is possible in multi-word passphrases,” the team stated, “In particular, user testing for longer phrases is necessary to determine the extent to which users will tend to choose passphrases with natural-language-like properties as more words are required and not resort to easier-to-remember patterns like repeated words, idioms, or well-known titles.”

via ReadWriteWeb; Image via Shutterstock