Certain long computer passwords may not provide as much cyber security as previously thought. A new study reports that passwords based on grammatical structure give away vital clues that make them more vulnerable to being cracked.
Researchers at Carnegie Mellon University developed a grammar-aware algorithm that outperformed other leading methods when tested on passwords that were grammatically structured and contained 16 or more characters. The algorithm alone was able to crack ten percent of the more than 1,000 passwords studied. The authors concluded that password strength cannot be determined by the number of words or characters present when grammar is involved.
The effects are based in part on the way grammar reduces the options for combining words or using them in sequence. Also relevant is the fact that different parts of speech exist in very different numbers, declining from nouns to adjectives to verbs to pronouns. As an example, the study discovered that the five-word phrase “Th3r3 can only b3 #1!” is easier to figure out than the three-word phrase “Hammered asinine requirements.”
The findings are interesting given that much of the general advice about creating strong passwords tends to place the greatest emphasis on length. While Facebook still specifies only a 6-character minimum, many security professionals now advocate for 12 or more.
Other common guidelines still hold true for creating robust passwords. Use upper and lower case letters. Combine letters with other characters such as numbers, symbols and punctuation marks. Avoid making references to your name, birthday, social security number or other personal information. Make up a different password for each website you visit. It is also important to change passwords frequently.
Superior Solutions, Inc. focuses on network security services and cyber security training. Contact us for more information on security audits, network vulnerability assessments, IT security training and other security solutions.