Long Security Passwords May Be Yesterday's News

[LiLmEgZ]

A new study from Carnegie Mellon University shows that the widely held belief that long passwords are safer may be unraveled by new hacking programs.

The assumption that a long, carefully crafted password will protect your devices against all hacking may soon be another Internet fallacy. Researcher Ashwini Rao of Carnegie Mellon University has found that the popular use of long passwords is not particularly a good choice for securing your data.

Instead, against all English teachers' better instincts, Rao says bad grammar is the way to go.

In a study entitled "Effect of Grammar on Security of Long Passwords," Rao and colleagues found that of the 1,500 users they studied, a full 18 percent chose easier-to-remember grammatical phrases, street addresses and URLs to create long passwords.

Although current popular password-cracking programs such as John the Ripper and Hashcat do not focus entirely on grammar in their algorithms, Rao warns that programs are becoming more sophisticated and would be able to more readily recognize "long sentence-like or phrase-like passwords such as 'abiggerbetterpassword' and 'thecommunistfairy.'"

In fact, the team developed its own "proof-of-concept grammar-aware cracking algorithm to improve the cracking efficiency of long passwords," according the study, and were able to crack 10 percent of the passwords in their data that other programs could not crack.

Rao's password cracker specifically targeted grammatically correct turns of phrase that are so popular with users.

The study implies that shorter, randomized passwords containing numbers, characters and letters may be the best choice. Alternately, poor grammar, for once, may be your friend, with passwords such as "Forcewithyoumaybe" proving more impervious to cracking.

News Source: http://news.msn.com/science-technology/long-security-passwords-may-be-yesterdays-news

[shought]

What bullshit reasoning is this?

They just interpreted their study like this to get a cool headline, but long passwords are definitely safer than short passwords. They are comparing short mixed alphanumerical passwords with long grammar-based passwords. If they were to compare short mixed alphanumerical passwords with long mixed alphanumerical passwords none of this would stick. Similarly comparing short grammar-based passwords with long grammar-based passwords would show that long passwords are better. Their research says nothing about long passwords, but everything about grammar-based passwords (which can be cracked using a dictionary attack, instead of a 'true' brute-force attack).

The only thing their research has proven is that many people (18%) tend to use grammatically correct phrases or other easy to remember things for long passwords. They didn't even compare this (as far as I can tell) with the percentage of users who use grammatically correct phrases for short passwords.

All in all this research is just a catchy headline without any scientific basis bundled some facts that everyone already knew. Just sad.

[Sonar]

password means nothing these days...

its all about money... you offer enough to the company they will give your details out.

[alaindc]

another useless study.

if you use numbers and special keys, long password are definitely better than shorter one.

BUT

if you use an easy to remember common phrase as password, without them...

they aren't as safe, it's logic.

all that study say is...some people still don't know how to make good password.

[Pedrito]

This guy doesn't even make any sense! :duh:

[anuseems]

Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.

An algorithm developed by Ashwini Rao and colleagues at Carnegie Mellon University in Pittsburgh, Pennsylvania, makes light work of cracking long passwords which make grammatical sense as a whole phrase, even if they are interspersed with numbers and symbols. Rao's algorithm makes guesses by combining words and phrases from password-cracking databases into grammatically correct phrases. While other cracking programs make multiple guesses based on each word in a database, putting in "catscats" and "catsstac" as well as just the word "cats", none of the programs make the jump to combine multiple words or phrases in a way that makes grammatical sense, like "Ihave3cats", for instance.

Ten per cent of the long passwords that Rao and her team tested were cracked exclusively using their grammar-sensitive methods, unyielding in the face of other well-known cracking algorithms such as John the Ripper and Hashcat.

As processing power continues to fall in price, choosing passwords that are easily memorised but secure is getting harder and harder. A $3000 computer running appropriate algorithms can make 33 billion password guesses every second.

In a paper due to be presented at the Conference on Data and Application Security and Privacy in San Antonio, Texas, next month, the researchers suggest that other types of familiar structures like postal addresses, email addresses and URLs may also make for less secure passwords, even if they are long.

@ http://www.newscientist.com/blogs/onepercent/2013/01/bad-grammar-make-good-password.html