Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security News

Bad Grammar Make Bestest Password, Research Say 193

An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"
This discussion has been archived. No new comments can be posted.

Bad Grammar Make Bestest Password, Research Say

Comments Filter:
  • Certainly (Score:3, Insightful)

    by vAltyR ( 1783466 ) on Sunday January 20, 2013 @02:56PM (#42640715)
    There are many more ways to have bad grammar than there are to have good grammar.
  • Corollary (Score:4, Insightful)

    by eksith ( 2776419 ) on Sunday January 20, 2013 @03:01PM (#42640753) Homepage
    Entering wrong infromation for password reminders / security questions.
  • by eksith ( 2776419 ) on Sunday January 20, 2013 @03:07PM (#42640793) Homepage
    Easier than sanitizing correctly. Honestly, it's just laziness. There are also some places that actually send you the bloody password from the database when you enter an email (because that's also easier), instead of salt+hashing and just resetting it. And a unicode password would cause issues in the carefully crafted HTML layout of reset email. These are actual excuses I was given by a project manager. He doesn't work with us anymore.
  • by bp+m_i_k_e ( 901456 ) on Sunday January 20, 2013 @03:21PM (#42640891)
    None of your phone numbers are changed every 30/60/90 days, while some of your passwords are.
  • Re:Certainly (Score:4, Insightful)

    by mwvdlee ( 775178 ) on Sunday January 20, 2013 @03:21PM (#42640893) Homepage

    Unless those dictionaries contain common misspellings, which they probably already do.

  • by CodeheadUK ( 2717911 ) on Sunday January 20, 2013 @03:34PM (#42640999) Homepage

    A paranoid colleague of mine composed passwords with a sprinkling of extended chars. He entered the whole thing on the numeric keypad with ALT held down.

    I've no idea what his password(s) were, but they caused quite a few badly written apps to explode in a spectacular shower of exceptions and unhandled input errors.

  • Re:Corollary (Score:5, Insightful)

    by jones_supa ( 887896 ) on Sunday January 20, 2013 @03:36PM (#42641007)

    Entering wrong infromation for password reminders / security questions.

    My opinion is that password hints and security questions are really just a bad idea which websites should possibly stop to use completely. They can easily ruin the whole security even if your password itself is robust.

  • by maxwells_deamon ( 221474 ) on Sunday January 20, 2013 @03:57PM (#42641119) Homepage

    I don't have a different phone number for every person I call. People I call do not make up rules like my phone number must be at least x characters long, must have a special character in it, can not have a special character in it, must not begin with an upper case letter, must begin with a character, must begin with an emoticon ;-)
    and I don't know what other crap they are about to come up with...

  • by Zero__Kelvin ( 151819 ) on Sunday January 20, 2013 @04:07PM (#42641183) Homepage

    "Why don't we allow unicode passwords?"

    Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream. In other words, that would be a very bad idea unless you are in an environment where only company approved systems, set up by competent system administrators, are allowed to log in, in which case it would just be a bad idea sans the "very". Even then it is of little value, since a well chosen password still has plenty of entropy, and there is no need to add complexity to the auth system (complexity is the enemy of security.)

  • Re:Certainly (Score:2, Insightful)

    by Anonymous Coward on Sunday January 20, 2013 @07:35PM (#42642671)

    Well, if we didn't say it, they'd all make their passwords "password", their own first name, or some other amazingly simple word. []

    They always glaze over when you try to explain strong passwords. No matter what you tell them, you can always sit down at their desk and say "what's your password?", just to find out it's "Password1" or "1234567A"

    For everything outside of my place of work, I use a password safe program and (if I can) at least a 42 character password using the largest possibly set, generated randomly.
    At work, where I'm not allowed to use a password safe and am required to memorize no fewer than 30 passwords, most of which have to be updated at least monthly, and cannot use any password I've used in the last 6 months.... my password is my first name and last initial, followed by a number which is how many times I've had to reset it. Yes, it's weak. No, I really don't give a shit. They drove me to this point with their dumbass fucking password policies and I've got better things to do with my time.

    The reason why my eyes glaze over is because I'm having visions of murdering your stupid fucking ass in the parking lot after work. If you were worth even half a shit at your job you'd never need to ask my password in the first place.

"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982