Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.
An algorithm developed by Ashwini Rao and colleagues at Carnegie Mellon University in Pittsburgh, Pennsylvania, makes light work of cracking long passwords which make grammatical sense as a whole phrase, even if they are interspersed with numbers and symbols.
Rao’s algorithm makes guesses by combining words and phrases from password-cracking databases into grammatically correct phrases. While other cracking programs make multiple guesses based on each word in a database, putting in “catscats” and “catsstac” as well as just the word “cats”, none of the programs make the jump to combine multiple words or phrases in a way that makes grammatical sense, like “Ihave3cats”, for instance.
Ten per cent of the long passwords that Rao and her team tested were cracked exclusively using their grammar-sensitive methods, unyielding in the face of other well-known cracking algorithms such as John the Ripper and Hashcat.
As processing power continues to fall in price, choosing passwords that are easily memorised but secure is getting harder and harder. A $US3000 computer running appropriate algorithms can make 33 billion password guesses every second.
In a paper due to be presented at the Conference on Data and Application Security and Privacy in San Antonio, Texas, next month, the researchers suggest that other types of familiar structures like postal addresses, email addresses and URLs may also make for less secure passwords, even if they are long.