Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security News

Bad Grammar Make Bestest Password, Research Say 193

Posted by samzenpus
from the power-of-slang dept.
An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"
This discussion has been archived. No new comments can be posted.

Bad Grammar Make Bestest Password, Research Say

Comments Filter:
  • Certainly (Score:3, Insightful)

    by vAltyR (1783466) on Sunday January 20, 2013 @01:56PM (#42640715)
    There are many more ways to have bad grammar than there are to have good grammar.
    • In other news, making spelling mistakes defeats a dictionary attack.

      Because by spelling the words wrong, they no longer appear in the set of words known as "the dictionary".

      • Re:Certainly (Score:4, Insightful)

        by mwvdlee (775178) on Sunday January 20, 2013 @02:21PM (#42640893) Homepage

        Unless those dictionaries contain common misspellings, which they probably already do.

        • by AmiMoJo (196126) *

          It's actually fairly easy to do algorithmically, in the same way many password crackers already try common number/letter replacements (pa55w0rd), adding single digits and dates to the end of dictionary words, capitalizing the first letter or every other letter etc. Just addend -ed and -ing to every word, drop silent k's, reverse i and e (e.g. recieve) and so forth.

          • by Macrat (638047)

            It's actually fairly easy to do algorithmically, in the same way many password crackers already try common number/letter replacements (pa55w0rd), adding single digits and dates to the end of dictionary words, capitalizing the first letter or every other letter etc. Just addend -ed and -ing to every word, drop silent k's, reverse i and e (e.g. recieve) and so forth.

            Very true. That's why I find it so amusing when IT people think a system is more secure because their passwords require 1 capitalized letter and 1 number.

            • by Cryacin (657549)
              canIhazzhorzeburgerz

              Great. Now I ahve to change my pssaword againz.
              • by rwa2 (4391) *

                I think the mistake is that they call it a "password" and not a "passphrase".

                Most of my better passphrases are made from a few bars of a poem or song I know. Even better, when it comes time to change passphrases every 90 days or so, I can just go on to the next verse without too much thought. The only hard part is not to hum or dance to an obvious tune or rhythm after logging in. And maybe remembering when letters you turn to 133+ if necessary.

                e.g.:
                Ittrl,itjf(14ls;tnefr

                (first verse of 'Bohemian Rhapsody

            • by JWSmythe (446288)

              Well, if we didn't say it, they'd all make their passwords "password", their own first name, or some other amazingly simple word. [cbsnews.com]

              They always glaze over when you try to explain strong passwords. No matter what you tell them, you can always sit down at their desk and say "what's your password?", just to find out it's "Password1" or "1234567A"

              • Re: (Score:2, Insightful)

                by Anonymous Coward

                Well, if we didn't say it, they'd all make their passwords "password", their own first name, or some other amazingly simple word. [cbsnews.com]

                They always glaze over when you try to explain strong passwords. No matter what you tell them, you can always sit down at their desk and say "what's your password?", just to find out it's "Password1" or "1234567A"

                For everything outside of my place of work, I use a password safe program and (if I can) at least a 42 character password using the largest possibly set, generated randomly.
                At work, where I'm not allowed to use a password safe and am required to memorize no fewer than 30 passwords, most of which have to be updated at least monthly, and cannot use any password I've used in the last 6 months.... my password is my first name and last initial, followed by a number which is how many times I've had to reset it. Y

      • In other other news, Google penalizes the rankings of spelling and grammatical errors. Cynically, I'm surprised this headline got posted.
      • Dictionary attacks aren't always that useful for authentication systems that block logins on an account after a few missed attempts. However, a few stripped-down NAS nasties are set to allow infinite login attempts. It was kind of fun watching the password attempts; they were sort of half dictionary, half psychology, lots of old favourites. But they were all single words, I noticed, and not very long at that.

  • Of coarse (Score:5, Funny)

    by ArcadeMan (2766669) on Sunday January 20, 2013 @01:56PM (#42640717)

    Shekuritee bai aubskureeti.

    • by c0lo (1497653)
      Grammar! [xkcd.com], not syntax.
  • Corollary (Score:4, Insightful)

    by eksith (2776419) on Sunday January 20, 2013 @02:01PM (#42640753) Homepage
    Entering wrong infromation for password reminders / security questions.
    • My typical password reminder is "Fuck you." Good luck figuring out what my password is with that hint :)

    • Re:Corollary (Score:5, Insightful)

      by jones_supa (887896) on Sunday January 20, 2013 @02:36PM (#42641007)

      Entering wrong infromation for password reminders / security questions.

      My opinion is that password hints and security questions are really just a bad idea which websites should possibly stop to use completely. They can easily ruin the whole security even if your password itself is robust.

    • I usually pic a random question from the list and just mash in a lot of characters beneath that. An answer like "4rtilufga,lghajkhgigh;klgnulahglhsafgvubhgu s" is hard to guess.
  • by parallel_prankster (1455313) on Sunday January 20, 2013 @02:02PM (#42640759)
    Are there infinite ways to screw grammar while creating password? I would think there are certain patterns in which people mis-use grammar. I would imagine though that at some point if every one started using bad grammar styles for constructing passwords, that those patterns would become identifiable and then someone would put together a password cracker that would deal with poor-grammar-filled passwords as well right? I couldn't find the exact paper to read but the example on the website "ihave3cats" seems to be a like a language thing that can be identified at some point by some urban dictionary reader!
    • by McGruber (1417641) on Sunday January 20, 2013 @02:12PM (#42640829)
      Are dere infinite ways t'screw grammar while creatin' passwo'd? ah' would dink dere are certain patterns in which sucka's mis-use grammar. Ah be baaad... ah' would imagine dough dat at some point if every one started usin' bad-ass grammar styles fo' constructin' passwo'ds, dat dose patterns would become identifiable and den someone would put togeda' a passwo'd cracka' dat would deal wid poo'-grammar-filled passwo'ds as sheeit right? ah' couldn't find da damn exact sheet t'read but da damn example on de website "igots'3cats" seems t'be some likes some language wahtahmellun dat kin be identified at some point by some urban dicshunary eyeballer. Right On!
    • by mysidia (191772)

      It would be better to have no grammar structure at all in passwords, good or bad. Select a random assortment of words, not words that can be strung together using conventional grammar rules, or even distortions of conventional grammar rules.

      And transform any words in such a way, that no word used is a legitimate word.

      3hav-ayekatkitt-ees

      • by Kjella (173770)

        Which achieves one goal at the cost of memorability. Particularly if you want a password that can survive an offline brute force cracking attempt as opposed to guessing over the network it should be 20+ characters long because each character only adds 8 bits of entropy - in practice more like 6 bits. Looking at it the other way from the would-be cracker's perspective, what do you have? Brute force attacks and dictionary attacks. The easiest way to avoid both is to take a long, easy to memorize phrase and fu

      • Select a random assortment of words, not words that can be strung together using conventional grammar rules, or even distortions of conventional grammar rules.

        Correct horse battery staple! http://xkcd.com/936/

    • Many ways 2 brake gramma there are.

      Yoda ask -- answers he will give?

      even Something like this" could screw up a grammer based guesser .

  • To make a good password just don't think about it . Don't use anything that you would have to remember or figure out, type something random into the password box, copy the password and then remember it.
  • by the monolith (1174927) on Sunday January 20, 2013 @02:55PM (#42641103)
    Instead of using words, how about playing the keyboard as if it were a piano (or any other keyboard-like instrument)

    Here is an example of a musical login: pvy89pvvv[890[]vv

    For this example, position your right hand with the thumb on the 'v' key, then play the sequence as if they were notes, then listen to C.P.E. Bach - Minuet In G Major for what it should really sound like.

    If you like impressive music, try: uppvyuvyyyyuyvvyuvyuppvyuvyyyyuyvvyuyv
    Leo Arnaud - Buglers Dream

    • by Acapulco (1289274)

      Try that in an ipad or any other non-keyboard device. I don't think it will work for some of those devices..

    • by nzac (1822298)

      do you not see the repartition there, that method produces terrible passwords. how is pressing the same key exactly 4 times in a row at speed?

      They are getting strong enough not to low fruit and fall to a mass hash cracking but someone only has to observe you typing that in from a distance once, observe your fingers not move, and will rearrange word list to favor small character spaces.

      PS when you put this method on the internet you can no longer use it unless you never reuse you user-name.

  • I find that an even better way to construct a password (that you can still remember) is to use a language other than English for all or part of it. More specifically, it works best if you use a language that that requires transliteration to type in the Latin character set and then use your own transliteration/transcription spelling (rather than, necessarily, the common or "official" one). Good examples might be words in Hebrew, Russian or Greek.

    Consider the Russian word for 'good'. I will spell it using

  • Bad grammar you use must for secure password...
  • It is a well known fact that choosing words you will find in a dictionary as your password is not a good idea. This has been known for a looong time (get it?) Basically all this new "study" says is: "Hey, misspelled words are a better than words spelled correctly!" Or in other words: "Hey! Stuff that isn't in the dictionary is better than stuff that is!" And in yet other words: All they did was re-frame what has been known for a long time and confuse themselves into thinking they discovered something n
    • by 1u3hr (530656)

      It is a well known fact that choosing words you will find in a dictionary as your password is not a good idea.

      It's a better idea than a single word, or name, which is what many people still do. Anyway, even if you use real words, with the English language having well over 100,000 words, a few words gives you a very, very large space. Using correct grammar cuts it down, of course. But TFA was about attacks trying billions of passwords. What kind of idiotic system allows someone to attempt to login billions of times at high speed?

      • by neminem (561346)

        A large space, but still an easily searchable one, given enough time, and a system that allows dictionary attacks, which many do, even though it would be easy enough to disallow it.

        So why do that, when it's easy enough to use words that are still words, but not words in standard dictionaries? (i.e. names of fictional characters, words made up by the company you work for or that are specific jargon of your field, internet memes, etc.)

        • by 1u3hr (530656)

          So why do that, when it's easy enough to use words that are still words, but not words in standard dictionaries? (i.e. names of fictional characters, words made up by the company you work for or that are specific jargon of your field, internet memes, etc.)

          Because the "geekily obscure" words like that are the very first ones that will be checked. Geeks have been using words from Tolkien and such as logins and passwords from the dawn of time.I remember one guy who was mystified that his password "THX-1138" had been cracked by someone... I had a hard time not laughing.

  • @11yourbA5es@r3Be10ngtoUS

  • Yes, if it is bad enough. Examples:

    Sp/k)]Vi5PTa
    h@#FZh_\,
    _HA67C_1N{vh

    Of course no password is secure if you use on more than one site.

  • This means that most slashdot posters are safe. Seriously, the worst spelling and grammar I see online are right here amongst what should be a well-educated group of people.
    • by rsborg (111459)

      This means that most slashdot posters are safe. Seriously, the worst spelling and grammar I see online are right here amongst what should be a well-educated group of people.

      It's even uprated seemly for the bad grammar and spelling. I think it's a sign saying "I'm not a bot - at least not a simpleton".

  • If grammar is relevant at all, your password should already be long enough to be pretty secure.

  • I speak English and Swedish. I find it easy to concoct "Swinglish" words and phrases that are invalid in any language yet easy for me to remember.

    I think that ought to be secure.

  • I usually think of a phrase, take the first letter of each word, and leetify some of the letters. "My what a lovely unicorn with no horn you have" becomes MwalUwnHuh which then becomes Mw@lUw!Huh.

    My phrases are generally song lyrics, and yes I do need to write them down until I've used them 3-4 times.

  • Allyerpa55wurdrbelong2us
  • Make it over 23 letters (or 24, I forget). The end. That's unhackable by anything anywhere ever. Then it can be "gorillasgorillasgorillas1" and it won't matter because nobody could ever possibly hack it.
  • My home WPA password works on that premise. It's not in the dictionary, not random letters and numbers either but is easy enough to spell when heard if family or a friend visiting need access.
  • Personally, I'd go for words in the inuit language(s). Inuit words are so wonderfully impossible to guess from a dictionary because of the nature of the language; consider the following example:

    umiaq: a large boat - a 'wife boat'
    umiarssuaq: a big wife boat - ie a ship
    umiarssualivik: a place for a ship: a harbour
    umiarssualivinnguaq: a small harbour
    etc

    Combine that with a complex grammar and the fact that the rules for spelling are somewhat uncertain, and you have the perfect passwords, easy to remember and wr

  • Can bad grammar really make your password secure?

    not any longer.

  • So, are you telling me, that fascinating (unreadable) short-text/sms-language has a purpose after all?! :)

"Why should we subsidize intellectual curiosity?" -Ronald Reagan

Working...