Passwords with grammar chaotic secure make
A study compiled at Carnegie Mellon University in Pittsburgh, Pennsylvania confirms that long passwords are not necessarily more secure than short ones – because, if common expressions or phrases are used for authentication, password crackers can apply suitable rules to decrypt them. The team of scientists examined around 1,430 passwords from a previously published study and managed to use a custom algorithm that followed grammar rules to crack around 10 per cent more passwords than popular tools.
The researchers examined the way passwords are generated and found that sentence-based passwords usually consist of several short words or a few longer words. Among these passwords are two-word and three-word phrases such as "compromisedemail" or "thosedamnhackers". Users resort to such phrases to create passwords that are easy to remember and contain at least 16 characters, as the recommended minimum length for improved password security keeps increasing.
Password crackers, on the other hand, have for some time combined multiple dictionary words in their algorithms, although they randomly try out potential combinations. For their study, the researchers used the same grammar rules that are observed by most users. Phrases are, for example, formulated as follows: "Determiner, adjective, noun" or "pronoun, verb, adverb" – for example "thebeautifulqueen" or "sherunsfast". Consequently, if the algorithms used in popular tools such as John the Ripper or Hashcat took into account these language rules, passwords could be cracked more efficiently. The researchers say that it is only a matter of time before they will.
Therefore, the study suggests that it is not necessarily the length that decides the security of a password. Password crackers have previously added biblical quotes to their libraries to crack passwords using these sentences. When creating secure passwords, it pays to get creative. When using a known template in creating a password – a silly phrase, a song lyric or a quote – users should falsify the original to some degree. Only passwords that are generated chaotically, using numbers and special characters as well as incorrect grammar, can test the limits of some cracking tools.