Slashdot Mirror
Bad Grammar Make Bestest Password, Research Say
An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"
its securid via stupity encrpters
There are many more ways to have bad grammar than there are to have good grammar.
Shekuritee bai aubskureeti.
Get free satoshi (Bitcoin) and Dogecoins
Why don't we allow unicode passwords?
Entering wrong infromation for password reminders / security questions.
If computers were people, I'd be a misanthrope.
Are there infinite ways to screw grammar while creating password? I would think there are certain patterns in which people mis-use grammar. I would imagine though that at some point if every one started using bad grammar styles for constructing passwords, that those patterns would become identifiable and then someone would put together a password cracker that would deal with poor-grammar-filled passwords as well right? I couldn't find the exact paper to read but the example on the website "ihave3cats" seems to be a like a language thing that can be identified at some point by some urban dictionary reader!
isn't no one gonna bursted my pass werds evar.
Corek Horze Baterry Stapple
http://xkcd.com/936/
Seems legit to me. In all seriousness some of my best passwords use bad spelling on purpose and is commited to muscle memory so even I don't know how it is actually spelled. I know the phrase but not the proper mispelling. Took me over 20min to get it "right" after an injury left one of my arms in a full arm cast. And considering it is more random and significantly longer than obligatory XKCD reference I hate to know how long a password cracker would have to take to get it right.
Really? With letmein and iloveyou consistently in the top 10, 20 whatever most common passwords, I'd suggest that good grammar is most certainly rare in passwords, although I have no information to back that up. Other passwords may use grammar or punctuation in such a way as to be more vulnerable. Would god be god or God for instance?
CanHazPassword?
littel mistaek is no mistaek.
If you can memorize a 10-digit phone number (i.e. (123) 456-7890) then you can also memorize a 10-character randomized password. No excuses...there are sites out there that will generate tons of good passwords for you and you can just use the one you want.
"It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
pick your favourite lolcat phrase
of course then you're going to have to remember the mispellings
Correct Battery Horse Staple...
Texting comes in handy...
Have gnu, will travel.
To make a good password just don't think about it . Don't use anything that you would have to remember or figure out, type something random into the password box, copy the password and then remember it.
Here is an example of a musical login: pvy89pvvv[890[]vv
For this example, position your right hand with the thumb on the 'v' key, then play the sequence as if they were notes, then listen to C.P.E. Bach - Minuet In G Major for what it should really sound like.
If you like impressive music, try: uppvyuvyyyyuyvvyuvyuppvyuvyyyyuyvvyuyv
Leo Arnaud - Buglers Dream
I find that an even better way to construct a password (that you can still remember) is to use a language other than English for all or part of it. More specifically, it works best if you use a language that that requires transliteration to type in the Latin character set and then use your own transliteration/transcription spelling (rather than, necessarily, the common or "official" one). Good examples might be words in Hebrew, Russian or Greek.
Consider the Russian word for 'good'. I will spell it using substitute Latin characters since /. seems to strip it otherwise: "xopowo"
I love Russian because it uses mostly Latin or Latin-like characters, but they are usually pronounced differently (that "p" looking guy sounds like an "r" and that "w" looking character is more like "sh").
So that word is pronounced, to the American ear, something like "hur ah show" (leaving out the hard-to-transcribe soft guttural). You might spell it in your own transcription style as "herisoh" or "whoreashow" (which might be easier to remember!) or whatever.. the more you make it your own, the better.
You don't have to master another whole language to do this, just a few words will do.
Oh, and be sure to stay out of the rainbow table range or none of these techniques are all that helpful.
David Whatley
Little did we all know that this was actually the root password on HAL9000.
that is human readable is already insecure. Forget about the ones you can apply a grammer to.
... to add and mine the internet for commonly mispelled words to their password dictionaries.
Bad grammar you use must for secure password...
cpghost at Cordula's Web.
It is a well known fact that choosing words you will find in a dictionary as your password is not a good idea. This has been known for a looong time (get it?) Basically all this new "study" says is: "Hey, misspelled words are a better than words spelled correctly!" Or in other words: "Hey! Stuff that isn't in the dictionary is better than stuff that is!" And in yet other words: All they did was re-frame what has been known for a long time and confuse themselves into thinking they discovered something new.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Use an eubonics dictionary.
@11yourbA5es@r3Be10ngtoUS
I wonder if having a foreign language password makes for a good password, like a transliteration? That's what my grandma does.
I think of a sentence I will remember and use the first character of each word.
e.g. "the weather on my best birthday ever was very sunny" translates to "twombbewvs"
I find even a random sentence is much easier to remember that a string of random characters.
Need numbers too?
"it took me 3 weeks to get my damn tax return sorted out" = "itm3wtgmdtrso"
Yes, if it is bad enough. Examples:
Sp/k)]Vi5PTa
h@#FZh_\,
_HA67C_1N{vh
Of course no password is secure if you use on more than one site.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It's like saying that more entropy makes better password. Waiting for the article entitled "More entropy make better password, Anonymous Coward says".
This means that most slashdot posters are safe. Seriously, the worst spelling and grammar I see online are right here amongst what should be a well-educated group of people.
If grammar is relevant at all, your password should already be long enough to be pretty secure.
You must know a lot of people that share the same phone.
That I do. Many are land lines in multi-person households. And being public keys (in the SQL "primary key" sense, not the cryptographic sense), they don't change every 45 days.
In fact, even if you have a shit password (e.g., "changeme1234"), if the website limits the number of tries to 3 times a day, you're probably safe for at least a year or two.
Except from denial of service, where someone with a list of usernames he wants to attack enters those usernames with "P00-p00" as the password three times in a row. Then the legitimate owners of those accounts can't log in.
I speak English and Swedish. I find it easy to concoct "Swinglish" words and phrases that are invalid in any language yet easy for me to remember.
I think that ought to be secure.
I usually think of a phrase, take the first letter of each word, and leetify some of the letters. "My what a lovely unicorn with no horn you have" becomes MwalUwnHuh which then becomes Mw@lUw!Huh.
My phrases are generally song lyrics, and yes I do need to write them down until I've used them 3-4 times.
Just don't be stupid, really that's it.
You can use all the password tips in the world but never use one that's restrictive.
Every restriction you add makes it that much easier to guess.
This includes grammar, there are far fewer ways to be grammatically correct than not. So I don't really understand how this got published. What's the point of proving the obvious.
Hell you can use all the tips in the world if you want, lets start.
30 days: V%w#tVmi6
60 days: V%w#I love lamp.tVmi6
90 days: passwordV%w#I love lamp.tVmi6
180 days: passwordV%w#I love lamp.tVmi6
360 days: passwordV%w#I love lamp.tVmi6 Dis_thingizgettingl0gandstuFf
Getting sick of the long ass password day: gettingl0gandstuFf lava Cheetos 2+2
If you can't tell I'm just adding stuff.
Check this one out: _letmein123qwerty45iloveyou_
Or this one: !Call now and get a free pineapple for only $19.95!
But if you force your employees to use rules like you must use 3 characters of each type. You're going to end up with half your employees or users using 111!!!QQQqqq
Oh great, another restriction to be placed on my password, that will ensure I forget it after about five days.
Allyerpa55wurdrbelong2us
Simple. If four digits is good enough for my bank account. It's good enough for me.
Pisses me off when I need nine characters, one digit, one uppercase and a "special" character just to buy a freakin' toy for my daughter on some obscure web site, when I can get all my bank account info with just four digits.
Why? Whyyyyyyyyyy?????
Obvious teh whole topic is for teh loosers.
Make it over 23 letters (or 24, I forget). The end. That's unhackable by anything anywhere ever. Then it can be "gorillasgorillasgorillas1" and it won't matter because nobody could ever possibly hack it.
My home WPA password works on that premise. It's not in the dictionary, not random letters and numbers either but is easy enough to spell when heard if family or a friend visiting need access.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
Dictionary attacks aren't always that useful for authentication systems that block logins on an account after a few missed attempts. However, a few stripped-down NAS nasties are set to allow infinite login attempts. It was kind of fun watching the password attempts; they were sort of half dictionary, half psychology, lots of old favourites. But they were all single words, I noticed, and not very long at that.
Do not mock my vision of impractical footwear
Yoda ask -- answers he will give?
even Something like this" could screw up a grammer based guesser .
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Passwords will remain as the weakest link in authentication systems because they are easy and cheap. There is no good password, only one that's better (less weak) than the next. FWIW, I use a random password for every site (Thanks KeePass!), but even that is subject to comprimise by local malware or plaintext storage systems on the authenticator. Anything that _really_ needs to be protected shouldn't be digital and/or stored outside of your personal control. -T
How bout /dev/random?
How about removing the first letter of each word? Would that mess up a dictionary attack?
For example, instead of
correct horse staple battery
say
orrect orse taple attery
(Lots of words form other dictionary words if you remove the first letter. That makes it sort of hard to figure out a password that uses this trick.)
It is a well known fact that choosing words you will find in a dictionary as your password is not a good idea.
It's a better idea than a single word, or name, which is what many people still do. Anyway, even if you use real words, with the English language having well over 100,000 words, a few words gives you a very, very large space. Using correct grammar cuts it down, of course. But TFA was about attacks trying billions of passwords. What kind of idiotic system allows someone to attempt to login billions of times at high speed?
Personally, I'd go for words in the inuit language(s). Inuit words are so wonderfully impossible to guess from a dictionary because of the nature of the language; consider the following example:
umiaq: a large boat - a 'wife boat'
umiarssuaq: a big wife boat - ie a ship
umiarssualivik: a place for a ship: a harbour
umiarssualivinnguaq: a small harbour
etc
Combine that with a complex grammar and the fact that the rules for spelling are somewhat uncertain, and you have the perfect passwords, easy to remember and write, hard to crack, I think.
Can bad grammar really make your password secure?
not any longer.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
So, are you telling me, that fascinating (unreadable) short-text/sms-language has a purpose after all?! :)
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
A large space, but still an easily searchable one, given enough time, and a system that allows dictionary attacks, which many do, even though it would be easy enough to disallow it.
So why do that, when it's easy enough to use words that are still words, but not words in standard dictionaries? (i.e. names of fictional characters, words made up by the company you work for or that are specific jargon of your field, internet memes, etc.)
So why do that, when it's easy enough to use words that are still words, but not words in standard dictionaries? (i.e. names of fictional characters, words made up by the company you work for or that are specific jargon of your field, internet memes, etc.)
Because the "geekily obscure" words like that are the very first ones that will be checked. Geeks have been using words from Tolkien and such as logins and passwords from the dawn of time.I remember one guy who was mystified that his password "THX-1138" had been cracked by someone... I had a hard time not laughing.
By "public key" I meant that a phone number is a published natural key, intended for the general public to use as a key to place a voice call to a household. The opposite would be something like a Social Security number, a natural key that's not to be spread around because taxing authorities and creditors rely on it as part of proof of identity.
I get FIOS for $40/month, adding a phone would double that
For someone with fiber, cable, or DSL Internet access, a VoIP line from magicJack can cost less than $2 per month. That's still "nearly free" to me, (backpedals slightly) even if it isn't offered by the phone company. To me, magicJack and other similar VoIP providers are still a "land line" in the sense of being delivered over a wired network and assigning a phone number to a household rather than a single person.
Untranslated, Vogon poetry.
the only problem with this, is those damn sites that have a MAXIMUM password length. WTF is with that? assholes.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Point me to where in the SQL specification it mentions whether a key is widely known or not.
It's not in the SQL specification; it's in the business rules that a developer implements using SQL.
And as far as I'm aware, there's no directory for mobile numbers.
There's a paper directory for land lines, and there's Facebook for mobile numbers of Facebook members. But more generally, there's a reason for someone to publish a phone number if he wants to be contacted. There isn't much reason to publish a Social Security number except perhaps as a publicity stunt for an identity theft protection business that one runs.
Finally, does the phrase "ex directory" ring a bell?
Traditionally, being "ex directory" has cost more per month. And people who want to be contacted publish a phone number even if their carrier does default to "ex directory".
Random characters of upper lower case and numeric can be memorized by anyone up to 10 or 12 characters. These make the best passphrases. Simply use a program to randomly generate sets of 10 random values for you and select one.
Second, these passphrases should be used to unlock the set of keys you use for login. Login passwords to websites should not be something inside your head, because there is no possiblity you can ever memorize strong enough passwords for 20 or more websites. Passwords to website logins should be 64 random characters making any brute force attempts useless. Since website logins no longer use passwords in your head, you will not be able to login to say gmail from someone elses computer. Good! It is a bad security practice to type passwords into any device you do not own.
The real issue with passwords is that you need so many of them. People make and use weak passwords because there is no possiblity to remember a multitude of them. Or worse, they have a limited set of say 3 good passwords that they reuse across multiple 3rd party sites. How dangerous! The real issue with passwords is that websites allow you to type them from the keyboard. Websites should switch to a common mechanism of using local system keychaining software. Firefox is a good example of this, where the passwords are stored locally and strongly encrypted with a locally entered passphrase. The only part missing is for websites to stop allowing users to generate the passwords and force them to be long and strong random values generated within firefox itself.