Good Grammar Makes Bad Password

Scientific American

Click here to listen to this podcast

When you think up a password for yet another online account, longer is better, right? Well, that's true if your password is a string of random numbers, letters and symbols. But if you use a memorable phrase, as some sites recommend, your super-long password could be twice as easy to crack, assuming the password cracker knows grammar.

Researchers created a grammar-smart algorithm and set it loose on 144 passwords, each a phrase at least 16 characters long. Two-and-a-half-trillion guesses later, it had cracked a quarter of them. And the algorithm decoded a dozen passwords state-of-the-art crackers could not. The researchers are presenting their program at the Conference on Data and Application Security and Privacy, or CODASPY. [Ashwini Rao, Birendra Jha and Gananand Kini, Effect of Grammar on Security of Long Passwords]

The best password crackers can guess 33 billion times a second. Using standard grammar cuts down the number of alphanumeric possibilities—and the time it takes to crack your password. Avoid pronouns and verbs, the researchers say. They're easy to guess because they're few in number, compared to adjectives and nouns. For example, "Sheblindedmewithscience" is a weaker password than "threeblindmicerhyme." See how the hackers run.

—Christopher Intagliata

[The above text is a transcript of this podcast.]

Follow Scientific American on Twitter @SciAm and @SciamBlogs.

Visit ScientificAmerican.com for the latest in science, health and technology news.

© 2013 ScientificAmerican.com. All rights reserved.

View Comments (7)