Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bad Grammar Make Bestest Password, Research Say

Posted by samzenpus on from the power-of-slang dept.

An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"

10 of 193 comments (clear)

  1. Certainly by vAltyR · · Score: 3, Insightful

    There are many more ways to have bad grammar than there are to have good grammar.

    1. Re:Certainly by mwvdlee · · Score: 3, Insightful

      Unless those dictionaries contain common misspellings, which they probably already do.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:Certainly by Anonymous Coward · · Score: 2, Insightful

      Well, if we didn't say it, they'd all make their passwords "password", their own first name, or some other amazingly simple word.

      They always glaze over when you try to explain strong passwords. No matter what you tell them, you can always sit down at their desk and say "what's your password?", just to find out it's "Password1" or "1234567A"

      For everything outside of my place of work, I use a password safe program and (if I can) at least a 42 character password using the largest possibly set, generated randomly.
      At work, where I'm not allowed to use a password safe and am required to memorize no fewer than 30 passwords, most of which have to be updated at least monthly, and cannot use any password I've used in the last 6 months.... my password is my first name and last initial, followed by a number which is how many times I've had to reset it. Yes, it's weak. No, I really don't give a shit. They drove me to this point with their dumbass fucking password policies and I've got better things to do with my time.

      The reason why my eyes glaze over is because I'm having visions of murdering your stupid fucking ass in the parking lot after work. If you were worth even half a shit at your job you'd never need to ask my password in the first place.

  2. Corollary by eksith · · Score: 3, Insightful

    Entering wrong infromation for password reminders / security questions.

    --
    If computers were people, I'd be a misanthrope.
    1. Re:Corollary by jones_supa · · Score: 4, Insightful

      Entering wrong infromation for password reminders / security questions.

      My opinion is that password hints and security questions are really just a bad idea which websites should possibly stop to use completely. They can easily ruin the whole security even if your password itself is robust.

  3. Re:My question is this: by eksith · · Score: 4, Insightful

    Easier than sanitizing correctly. Honestly, it's just laziness. There are also some places that actually send you the bloody password from the database when you enter an email (because that's also easier), instead of salt+hashing and just resetting it. And a unicode password would cause issues in the carefully crafted HTML layout of reset email. These are actual excuses I was given by a project manager. He doesn't work with us anymore.

    --
    If computers were people, I'd be a misanthrope.
  4. Re:Randomized passwords are the best by bp+m_i_k_e · · Score: 5, Insightful

    None of your phone numbers are changed every 30/60/90 days, while some of your passwords are.

  5. Re:My question is this: by CodeheadUK · · Score: 5, Insightful

    A paranoid colleague of mine composed passwords with a sprinkling of extended chars. He entered the whole thing on the numeric keypad with ALT held down.

    I've no idea what his password(s) were, but they caused quite a few badly written apps to explode in a spectacular shower of exceptions and unhandled input errors.

  6. Re:Randomized passwords are the best by maxwells_deamon · · Score: 5, Insightful

    I don't have a different phone number for every person I call. People I call do not make up rules like my phone number must be at least x characters long, must have a special character in it, can not have a special character in it, must not begin with an upper case letter, must begin with a character, must begin with an emoticon ;-)
    and I don't know what other crap they are about to come up with...

  7. Re:My question is this: by Zero__Kelvin · · Score: 3, Insightful

    "Why don't we allow unicode passwords?"

    Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream. In other words, that would be a very bad idea unless you are in an environment where only company approved systems, set up by competent system administrators, are allowed to log in, in which case it would just be a bad idea sans the "very". Even then it is of little value, since a well chosen password still has plenty of entropy, and there is no need to add complexity to the auth system (complexity is the enemy of security.)

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun