June 19, 2021

Cambridge University Study Says That Multi Word Passphrases Not As Secure As You Might Think

(LiveHacking.Com) – It is conventional wisdom that the more complex a password is then the harder it is for hackers to crack. This had led online users to start using multi-word passphrases (rather than single-word passwords) for account authentication. Multi-word passphrases are easier to remember than completely random password strings and have the supposed added advantage that they are just as secure. However research from the Computer Laboratory at the University of Cambridge suggests that this might not be the case. Although mult-word passphrases could be as secure as random password strings, it is important to evaluate actual user choices for password not theoretical passphrase possibilities.

The research paper, by Joseph Bonneau and Ekaterina Shutova, studied data taken from the now-defunct Amazon PayPhrase system (which was only availbale in the US) to learn how people choose passphrases in general. The pair then set about trying to guess the passphrases using a dictionary attack based on movie titles, sports team names, and other types of proper nouns taken from Wikipedia. Using this method the researchers cracked about 8,000 phrases.

Apply some clever mathematics and the results shows that passphrases provide the equivalent of 20 bit security against an attacker trying to compromise 1% of available accounts. Normal passwords provide under 10 bits when using the same maths, so clearly passphrases are better, but not enough to make online dictionary attacks impractical unless proper rate-limiting is used by the online service.

Some clear trends emerged—people strongly prefer phrases which are either a single modified noun (“operation room”) or a single modified verb (“send immediately”). These phrases are perhaps easier to remember than phrases which include a verb and a noun and are therefore closer to a complete sentence. Within these categories, users don’t stray too far from choosing two-word phrases the way they’re actually produced in natural language. That is, phrases like “young man” which come up often in speech are proportionately more likely to be chosen than rare phrases like “young table.”