Researchers develop grammar-aware password cracker

Jan 24, 2013

When writing or speaking, good grammar helps people make themselves be understood. But when used to concoct a long computer password, grammar—good or bad—provides crucial hints that can help someone crack that password, researchers at Carnegie Mellon University have demonstrated.

A team led by Ashwini Rao, a Ph.D. student in the Institute for Software Research, developed a -cracking algorithm that took into account grammar and tested it against 1,434 passwords containing 16 or more characters. The grammar-aware cracker surpassed other state-of-the-art password crackers when passwords had grammatical structures, with 10 percent of the cracked exclusively by the team's algorithm.

"We should not blindly rely on the number of words or characters in a password as a measure of its security," Rao concluded. She will present the findings on Feb. 20 at the Association for Computing Machinery's Conference on Data and Application Security and Privacy (CODASPY 2013) in San Antonio, Texas.

Basing a password on a phrase or short sentence makes it easier for a user to remember, but the dramatically narrows the possible combinations and sequences of words, she noted.

Likewise, grammar, whether good or bad, necessitates using different parts of speech—nouns, , adjectives, pronouns—that also can undermine security. That's because pronouns are far fewer in number than verbs, verbs fewer than adjectives and adjectives fewer than nouns. So a password composed of "pronoun-verb-adjective-noun," such as "Shehave3cats" is inherently easier to decode than "Andyhave3cats," which follows "noun-verb-adjective-noun." A password that incorporated more nouns would be even more secure.

"I've seen password policies that say, 'Use five words,'" Rao said. "Well, if four of those words are pronouns, they don't add much security."

For instance, the team found that the five-word passphrase "Th3r3 can only b3 #1!" was easier to guess than the three-word passphrase "Hammered asinine requirements." Neither the number of words nor the number of characters determined password strength when grammar was involved. The researchers calculated that "My passw0rd is $uper str0ng!" is 100 times stronger as a passphrase than "Superman is $uper str0ng!," which in turn is 10,000 times stronger than "Th3r3 can only b3 #1!"

The research was an outgrowth of a class project for a masters-level course at CMU, Rao said. She and Gananand Kini, a fellow CMU graduate student, and Birendra Jha, a Ph.D. student at MIT, built their password cracker by building a dictionary for each part of speech and identifying a set of grammatical sequences, such as "determiner-adjective-noun" and "noun-verb-adjective-adverb," that might be used to generate passphrases.

Rao said the -aware password cracker was intended only as a proof of concept and no attempt has been made to optimize its performance. But it is only a matter of time before someone does, she predicted.

Explore further: UT Dallas professor to develop framework to protect computers' cores

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Better passwords get with the beat

May 17, 2011

No password is 100% secure. There are always ways and means for those with malicious intent to hack, crack or socially engineer access to a password. Indeed, there are more and more websites and databases compromised on a ...

Recommended for you

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

Silverhill
not rated yet Jan 24, 2013
Concerning password strength, I quote Randall Munroe: "correct horse battery staple".
(see his xkcd webcomic, http://xkcd.com/936/ )
alfie_null
not rated yet Jan 25, 2013
Nice to see articles like this in that it (hopefully) hastens the death of passwords as a viable form of authentication.

More news stories

Hackers of Oman news agency target Bouteflika

Hackers on Sunday targeted the website of Oman's official news agency, singling out and mocking Algeria's newly re-elected president Abdelaziz Bouteflika as a handicapped "dictator".

Making graphene in your kitchen

Graphene has been touted as a wonder material—the world's thinnest substance, but super-strong. Now scientists say it is so easy to make you could produce some in your kitchen.

Low tolerance for pain? The reason may be in your genes

Researchers may have identified key genes linked to why some people have a higher tolerance for pain than others, according to a study released today that will be presented at the American Academy of Neurology's 66th Annual ...

How to keep your fitness goals on track

(HealthDay)—The New Year's resolutions many made to get fit have stalled by now. And one expert thinks that's because many people set their goals too high.