Grammar undermines password security

Posted by Emma Woollacott

The grammar you use - good or bad - when constructing a password can be enough to help someone crack it, say researchers at Carnegie Mellon University.

They've developed a password-cracking algorithm that takes grammar into account, and tested it against 1,434 passwords containing 16 or more characters. And, they say, it beat other state-of-the-art password crackers hands-down when passwords had grammatical structures, with 10 percent of the dataset cracked exclusively by the algorithm.

"We should not blindly rely on the number of words or characters in a password as a measure of its security," warns software engineering PhD student Ashwini Rao.

Users often base passwords on a phrase or short sentence, making it easier to remember. However, the grammatical structure dramatically narrows the possible combinations and sequences of words, says Rao.

Likewise, grammar, whether good or bad, means using different parts of speech — nouns, verbs, adjectives or pronouns — that also can undermine security. It's because pronouns are far fewer in number than verbs, verbs fewer than adjectives and adjectives fewer than nouns.

So a password composed of "pronoun-verb-adjective-noun," such as "Shehave3cats" is inherently easier to decode than "Andyhave3cats," which follows "noun-verb-adjective-noun." A password that incorporated more nouns would be even more secure.

"I've seen password policies that say, 'Use five words'," says Rao. "Well, if four of those words are pronouns, they don't add much security."

For instance, the team found that the five-word passphrase "Th3r3 can only b3 #1!" was easier to guess than the three-word passphrase "Hammered asinine requirements." Neither the number of words nor the number of characters determined password strength when grammar was involved.

The researchers calculated that "My passw0rd is $uper str0ng!" is 100 times stronger as a passphrase than "Superman is $uper str0ng!," which in turn is 10,000 times stronger than "Th3r3 can only b3 #1!"

Rao assures us that the grammar-aware password cracker is intended only as a proof of concept, and that no attempt has been made to optimize its performance. But it's only a matter of time until someone does, she warns.