Featured Research

from universities, journals, and other organizations

Grammar undercuts security of long computer passwords

Date:
January 24, 2013
Source:
Carnegie Mellon University
Summary:
When writing or speaking, good grammar helps people make themselves be understood. But when used to concoct a long computer password, grammar -- good or bad -- provides crucial hints that can help someone crack that password, researchers have demonstrated.

When writing or speaking, good grammar helps people make themselves be understood. But when used to concoct a long computer password, grammar -- good or bad -- provides crucial hints that can help someone crack that password, researchers at Carnegie Mellon University have demonstrated.

Related Articles


A team led by Ashwini Rao, a software engineering Ph.D. student in the Institute for Software Research, developed a password-cracking algorithm that took into account grammar and tested it against 1,434 passwords containing 16 or more characters. The grammar-aware cracker surpassed other state-of-the-art password crackers when passwords had grammatical structures, with 10 percent of the dataset cracked exclusively by the team's algorithm.

"We should not blindly rely on the number of words or characters in a password as a measure of its security," Rao concluded. She will present the findings on Feb. 20 at the Association for Computing Machinery's Conference on Data and Application Security and Privacy (CODASPY 2013) in San Antonio, Texas.

Basing a password on a phrase or short sentence makes it easier for a user to remember, but the grammatical structure dramatically narrows the possible combinations and sequences of words, she noted.

Likewise, grammar, whether good or bad, necessitates using different parts of speech -- nouns, verbs, adjectives, pronouns -- that also can undermine security. That's because pronouns are far fewer in number than verbs, verbs fewer than adjectives and adjectives fewer than nouns. So a password composed of "pronoun-verb-adjective-noun," such as "Shehave3cats" is inherently easier to decode than "Andyhave3cats," which follows "noun-verb-adjective-noun." A password that incorporated more nouns would be even more secure.

"I've seen password policies that say, 'Use five words,'" Rao said. "Well, if four of those words are pronouns, they don't add much security."

For instance, the team found that the five-word passphrase "Th3r3 can only b3 #1!" was easier to guess than the three-word passphrase "Hammered asinine requirements." Neither the number of words nor the number of characters determined password strength when grammar was involved. The researchers calculated that "My passw0rd is $uper str0ng!" is 100 times stronger as a passphrase than "Superman is $uper str0ng!," which in turn is 10,000 times stronger than "Th3r3 can only b3 #1!"

The research was an outgrowth of a class project for a masters-level course at CMU, Rao said. She and Gananand Kini, a fellow CMU graduate student, and Birendra Jha, a Ph.D. student at MIT, built their password cracker by building a dictionary for each part of speech and identifying a set of grammatical sequences, such as "determiner-adjective-noun" and "noun-verb-adjective-adverb," that might be used to generate passphrases.

Rao said the grammar-aware password cracker was intended only as a proof of concept and no attempt has been made to optimize its performance. But it is only a matter of time before someone does, she predicted.


Story Source:

The above story is based on materials provided by Carnegie Mellon University. Note: Materials may be edited for content and length.


Cite This Page:

Carnegie Mellon University. "Grammar undercuts security of long computer passwords." ScienceDaily. ScienceDaily, 24 January 2013. <www.sciencedaily.com/releases/2013/01/130124123549.htm>.
Carnegie Mellon University. (2013, January 24). Grammar undercuts security of long computer passwords. ScienceDaily. Retrieved December 19, 2014 from www.sciencedaily.com/releases/2013/01/130124123549.htm
Carnegie Mellon University. "Grammar undercuts security of long computer passwords." ScienceDaily. www.sciencedaily.com/releases/2013/01/130124123549.htm (accessed December 19, 2014).

Share This


More From ScienceDaily



More Computers & Math News

Friday, December 19, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Navy Unveils Robot Fish

Navy Unveils Robot Fish

Reuters - Light News Video Online (Dec. 18, 2014) The U.S. Navy unveils an underwater device that mimics the movement of a fish. Tara Cleary reports. Video provided by Reuters
Powered by NewsLook.com
How 2014 Shaped The Future Of The Internet

How 2014 Shaped The Future Of The Internet

Newsy (Dec. 18, 2014) It has been a long, busy year for Net Neutrality. The stage is set for an expected landmark FCC decision sometime in 2015. Video provided by Newsy
Powered by NewsLook.com
White House: Sony Hack a 'serious National Security Matter'

White House: Sony Hack a 'serious National Security Matter'

AFP (Dec. 18, 2014) White House spokesperson Josh Earnest says cyber attacks that ultimately prompted Sony Pictures to scrap the release of a madcap comedy about North Korea are a "serious national security matter." Duration: 00:35 Video provided by AFP
Powered by NewsLook.com
Google Maps Lets You Tour Street View in Virtual Reality

Google Maps Lets You Tour Street View in Virtual Reality

Buzz60 (Dec. 18, 2014) Google Maps now lets Android users see cities on Street View in virtual reality with the special Cardboard feature. Sean Dowling (@Seandowlingtv) has the details. Video provided by Buzz60
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins