"Hammered asinine requirements": Now there’s a secure password

  • Bob Brown (Network World)
  • — 24 January, 2013 18:08

Youre best off forgetting your grammar lessons when it comes to creating passphrases, according to new research out of Carnegie Mellon University and MIT.

The researchers say that using grammar good or bad can clue in hackers about the words in a multi-word password. And theyve built an algorithm as a proof-of-concept to show it (The team, led by software engineering Ph.D. student Ashwini Rao of CMUs Institute for Software Research, will present its research at the Association for Computing Machinerys Conference on Data and Application Security and Privacy on Feb. 20 in San Antonio.).

[IN THE LABS: 25 of todays coolest networking and computer research projects]

The team tested its grammar-aware password cracking algorithm against 1,434 passwords containing 16 or more characters, and cracked 10% of the dataset via the algorithm.

We should not blindly rely on the number of words or characters in a password as a measure of its security, Rao said, in a statement.

The researchers say that while a password based on a phrase or short sentence can be easier for a user to remember, it also makes it simpler to crack because grammatical rules narrow word choices and structures (in other words, a passphrase with pronoun-verb-adjective-noun would be easier to crack than one made up of noun-verb-adjective).

The researchers found that Hammered asinine requirements, for instance, is harder to crack than even the longer and seemingly clever Th3r3 can only b3 #1!

Passwords in general have come under increasing fire by security pros, as some of the highest profile breaches (LinkedIn, Nvidia) have been the result of password compromises or resulted in passwords (including encrypted ones) being made public.

Googles security team is looking into ways to avoid passwords altogether for logging into websites.

Bob Brown tracks network research in his Alpha Doggs blog and Facebook page, as well on Twitter and Google +

 

Read more about wide area network in Network World's Wide Area Network section.

Tags: Carnegie Mellon University, grammar aware password, security, CMU, legal, Wide Area Network, MIT, cybercrime

Hackers try to blackmail plastic surgeon after stealing 500,000 patient records

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos SafeGuard Enterprise

Your central key for data protection

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.