January 25, 2013

Grammatical Passwords May Be Even Easier To Crack

Last year was a bad one for passwords. After several attacks and subsequent dumps, some websites sifted through the leaked data to determine which passwords were being used most often. Sadly, most of the passwords that were used were the elementary “password” or “12345.” It’s becoming increasingly important to have sturdy and resilient passwords, should the worse case scenario occur. The difficult thing about these sorts of passwords is that while “D9/48{o&*Z[X[nG” may be quite secure, it’s also nearly impossible to remember. This has led many to employ common phrases, such as “There can only be one” and punch it up with numbers and symbols. Now, researchers at Carnegie Mellon University in Pittsburgh have devised an algorithm meant to look for common grammar– both good and bad– when cracking passwords. This means even “Th3r3 can only b3 #1!” could be a dangerous password when facing this algorithm.

Software engineering PhD student Ashwini Rao led the team who devised this password-cracking algorithm, using grammar as a way to detect and crack these pass codes. To test this new algorithm, Rao and team put it against 1,434 passwords, each with 16 or more characters. When facing passwords with grammatical structures (featuring either bad or good grammar), this new algorithm was more effective than “ordinary” password cracking algorithms. In fact, this new method was able to crack 10 percent of the passwords it faced on its own without the help of a secondary algorithm. According to Rao, this is proof that any passwords with some semblance of grammatical structure does not necessarily make it any safer. Rao will present her team’s findings next month in San Antonio, TX at the Association for Computing Machinery’s Conference on Data and Application Security and Privacy (CODASPY 2013).

According to Rao and team, the use of grammar in passwords makes it easier to crack by giving algorithms like theirs something concrete to look for. Grammatical passwords are often comprised of adjectives, nouns, pronouns and verbs. Algorithms can then looks for these elements as a starting place and work from there. Because pronouns are not as common as adjectives and verbs, the algorithm knows to look first for these other sentences elements. Therefore, even grammatically incorrect passwords, such as “[email protected]” can be cracked as easily as a grammatically correct pass code. Even longer passwords can be easily cracked when grammar is involved, say Rao.

“I’ve seen password policies that say, ‘Use five words,'” Rao said in a statement.

“Well, if four of those words are pronouns, they don’t add much security.”

In a given example, the password “Th3r3 can only b3 #1!,” despite its mixture of numbers and symbols, was much easier to decipher than the seemingly less secure but non-grammatical “Hammered Asinine Requirements.”

Rao’s team even found that the password “My passw0rd is $uper str0ng!” was 100 times stronger than the password “Superman is $uper str0ng!

Even the Superman-themed password was 10,000 times stronger than “Th3r3 can only b3 #1!

Rao has said she doesn’t have any plans to improve her team’s algorithm to make it even stronger, saying she only wanted to develop it as a proof of concept. Yet, though she isn’t planning to improve this algorithm, she said someone probably use this concept and improve upon it in the future.

Image Credit: Photos.com

Facebook Twitter Pinterest Plusone Digg Reddit Stumbleupon Email