Bad Grammar Make Good Password

Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.

An algorithm developed by Ashwini Rao and colleagues at Carnegie Mellon University in Pittsburgh, Pennsylvania, makes light work of cracking long passwords which make grammatical sense as a whole phrase, even if they are interspersed with numbers and symbols.

Rao's algorithm makes guesses by combining words and phrases from password-cracking databases into grammatically correct phrases. While other cracking programs make multiple guesses based on each word in a database, putting in "catscats" and "catsstac" as well as just the word "cats", none of the programs make the jump to combine multiple words or phrases in a way that makes grammatical sense, like "Ihave3cats", for instance.

Ten per cent of the long passwords that Rao and her team tested were cracked exclusively using their grammar-sensitive methods, unyielding in the face of other well-known cracking algorithms such as John the Ripper and Hashcat.

As processing power continues to fall in price, choosing passwords that are easily memorised but secure is getting harder and harder. A $US3000 computer running appropriate algorithms can make 33 billion password guesses every second.

In a paper due to be presented at the Conference on Data and Application Security and Privacy in San Antonio, Texas, next month, the researchers suggest that other types of familiar structures like postal addresses, email addresses and URLs may also make for less secure passwords, even if they are long.

New Scientist reports, explores and interprets the results of human endeavour set in the context of society and culture, providing comprehensive coverage of science and technology news.



    I literally laughed out loud when I read that title. Thanks for that!

    And yes, bad grammar adds to password protection, but again it adds to memory issues.

    Honestly, I like the idea of an authenticator for my phone (think Blizzard, Paypal, what-have-you) to replace passwords altogether. I thought about writing something similar, but decided ultimately I was too lazy. (It's probably patented anyway...)

    Make you a good password, I can

    You can combine the big no-no's of password creation into a strong password by interleaving them. Use common names/words and dates of birth. Easy, yet strong.
    eg. Cats + Date of birth (150179) = c1a5t0s179
    That's how the pro's do it (or how I do it anyway)

      like “Ihave3cats”, for instance.
      The correct grammar is "ihaz3cats", as everyone who lives on the internets knows.

      Last edited 18/01/13 5:38 pm

        PPS. (Am I just talking to myself here?)
        Office workers who need to lock their screen, or enter passwords regularly, should try this quick , dirty and effective method: Use keyboard patterns, not 'passwords'.
        eg. q7w8e9 or qw78er or qwe789
        One, two or three consecutive keyboard characters, same for numerical pad, and characters again.
        Super quick, and no-one has hacked me yet. Touch wood.

    The fact is that all it takes is for someone to be standing behind you as you enter your password and they will have a fair idea of what your password is.

    Where I work we have a hot seat arrangement. That is, we don't necessarily sit at the same computer each day. For that reason we have roaming profiles. Of course even if your roaming profile works as advertised, a rare occurrence, when you sit at a new computer, it takes 10-15 min to load your profile from the main server. I had this idea when I first started working here. Instead of roaming profiles, use smart cards with storage on them to store your profile. You get in in the morning and sit at a new PC, you slip your smart card in along with your password, your profile loads and your good to go. We have to carry ID cards on us at all times for ID as well as 2 different RFID tags to get in so changing the photo ID card to a smart card would not cause too much of a problem, and would remove all the problems we have with roaming profiles.

Join the discussion!

Trending Stories Right Now