Slashdot Mirror
Bad Grammar Make Bestest Password, Research Say
An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"
There are many more ways to have bad grammar than there are to have good grammar.
Shekuritee bai aubskureeti.
Get free satoshi (Bitcoin) and Dogecoins
I was going to post "frist!" but that's my password.
Entering wrong infromation for password reminders / security questions.
If computers were people, I'd be a misanthrope.
Are there infinite ways to screw grammar while creating password? I would think there are certain patterns in which people mis-use grammar. I would imagine though that at some point if every one started using bad grammar styles for constructing passwords, that those patterns would become identifiable and then someone would put together a password cracker that would deal with poor-grammar-filled passwords as well right? I couldn't find the exact paper to read but the example on the website "ihave3cats" seems to be a like a language thing that can be identified at some point by some urban dictionary reader!
Easier than sanitizing correctly. Honestly, it's just laziness. There are also some places that actually send you the bloody password from the database when you enter an email (because that's also easier), instead of salt+hashing and just resetting it. And a unicode password would cause issues in the carefully crafted HTML layout of reset email. These are actual excuses I was given by a project manager. He doesn't work with us anymore.
If computers were people, I'd be a misanthrope.
Except that was all about choosing random dictionary words and a favorite number. In this case it's like taking my password "password' and spelling it "pahsweerd"
I've never actually considered what would happen if you put a unicode password into an email because, well...
littel mistaek is no mistaek.
None of your phone numbers are changed every 30/60/90 days, while some of your passwords are.
I don't memorize phone numbers, I memorize the 3x4 grid pattern required to dial it.
Get free satoshi (Bitcoin) and Dogecoins
After typing in a password 8-10 times I pretty much have it memorized, how long does it take for you? Doing it every 1-3 months isn't too bad. If it were changed every week then I would agree with you.
"It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
That's not bad grammar, you silly slashdotter! That's the name of a bulding at Princeton University: Frist Campus Center. Look it up. :)
A paranoid colleague of mine composed passwords with a sprinkling of extended chars. He entered the whole thing on the numeric keypad with ALT held down.
I've no idea what his password(s) were, but they caused quite a few badly written apps to explode in a spectacular shower of exceptions and unhandled input errors.
Actually, no. Phone numbers contain much context (e.g. area code), and they have a very limited alphabet (just the numbers 0-9). A random password can use a much larger alphabet and contains much less context. So, memorizing a ten character password is definitely harder than a ten digit phone number.
Memorizing only the phone numbers is useless if you forget the names and faces of the girls...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Sure, as long as you only need the one password.
"Let me in" and "I love you" are both correct grammar. You're perhaps thinking of correct punctuation.
To make a good password just don't think about it . Don't use anything that you would have to remember or figure out, type something random into the password box, copy the password and then remember it.
Here is an example of a musical login: pvy89pvvv[890[]vv
For this example, position your right hand with the thumb on the 'v' key, then play the sequence as if they were notes, then listen to C.P.E. Bach - Minuet In G Major for what it should really sound like.
If you like impressive music, try: uppvyuvyyyyuyvvyuvyuppvyuvyyyyuyvvyuyv
Leo Arnaud - Buglers Dream
I don't have a different phone number for every person I call. People I call do not make up rules like my phone number must be at least x characters long, must have a special character in it, can not have a special character in it, must not begin with an upper case letter, must begin with a character, must begin with an emoticon ;-)
and I don't know what other crap they are about to come up with...
I find that an even better way to construct a password (that you can still remember) is to use a language other than English for all or part of it. More specifically, it works best if you use a language that that requires transliteration to type in the Latin character set and then use your own transliteration/transcription spelling (rather than, necessarily, the common or "official" one). Good examples might be words in Hebrew, Russian or Greek.
Consider the Russian word for 'good'. I will spell it using substitute Latin characters since /. seems to strip it otherwise: "xopowo"
I love Russian because it uses mostly Latin or Latin-like characters, but they are usually pronounced differently (that "p" looking guy sounds like an "r" and that "w" looking character is more like "sh").
So that word is pronounced, to the American ear, something like "hur ah show" (leaving out the hard-to-transcribe soft guttural). You might spell it in your own transcription style as "herisoh" or "whoreashow" (which might be easier to remember!) or whatever.. the more you make it your own, the better.
You don't have to master another whole language to do this, just a few words will do.
Oh, and be sure to stay out of the rainbow table range or none of these techniques are all that helpful.
David Whatley
Little did we all know that this was actually the root password on HAL9000.
Perhaps not mine, but all the women I meet have a new phone number within 24 hours.
Don't fight for your country, if your country does not fight for you.
Why not the mail room? Then it could be the Frist Post.
Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream. In other words, that would be a very bad idea unless you are in an environment where only company approved systems, set up by competent system administrators, are allowed to log in, in which case it would just be a bad idea sans the "very". Even then it is of little value, since a well chosen password still has plenty of entropy, and there is no need to add complexity to the auth system (complexity is the enemy of security.)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Bad grammar you use must for secure password...
cpghost at Cordula's Web.
It is a well known fact that choosing words you will find in a dictionary as your password is not a good idea. This has been known for a looong time (get it?) Basically all this new "study" says is: "Hey, misspelled words are a better than words spelled correctly!" Or in other words: "Hey! Stuff that isn't in the dictionary is better than stuff that is!" And in yet other words: All they did was re-frame what has been known for a long time and confuse themselves into thinking they discovered something new.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I tend to use random passwords myself. The trick I've learned to memorizing them is to take advantage of the fact that the human brain is good at seeing patterns even when there aren't any. So I just look at the password for a bit, let myself come up with a pattern or way to describe it and memorize that. I'll often think of a password as chunks of 3 or 4 letters and just remember the junks normally associated with a thought phrase. If I can't come up with something I'll just hit regen again til I get something that my brain clicks onto.
For example I just now used a generator to create the password: zyZtgQkAJH2)rw
My thought process would be something like: .... oh I can use Quick to remind me. AJH... that can be an acronym for "as just happens." Got a number 2) so I think "list" and twice to behind to just happens... rw that's obviously read/write... So I just have to remember "zygote Quick As Just Happens twice list read/write" ( I mentally imagine shouting the parts of the words for caps ) and I can turn it back into the password zyZtgQkAJH2)rw...
Hmm there two Z's... I can use that to help me remember....Oh I can use the word zygote to remember... so the first two letters.... change things up so cap the Z and reuse the tg from zygote backs.... okay I have zyZtg memorized.... now I need to think of a quick way to get
then I just force me self to log in a few times while thinking that phrase and I'm all set.
@11yourbA5es@r3Be10ngtoUS
Every site should allow any password if they just hash it like they should.
I consider restricting the character set a lesser crime than sites like Amazon, Blizzard that make passwords case-insensitive
I use random, unique passwords most everywhere. The trick to remembering them is not to try - I just store them in my encrypted keychain. It's not that hard to memorize one long and complex password.
#DeleteChrome
I use variations of the same passwords, so I have memorized many more passwords than phone numbers. Usually I can even remember some infrequently-used passwords - based on using variations. However, the phone numbers that I have memorized have not changed for years, for the most part. At our company, it's actually pretty rare for people to forget their frequently-used passwords. However, I have no idea how often people forget phone numbers, since it is trivial to just look them up.
If all passwords followed the same rules, without requiring frequent resets, it probably would be relatively easy for people to remember a few passwords. But, keep in mind that 3 of the 10 phone number digits (the area code) is relatively meaningless, in terms of the need to memorize it. So, for the most part, people are only remembering 7 numbers - not exactly a large number of possible values, compared to the possibilities for passwords.
I don't have a different phone number for every person I call.
You must know a lot of people that share the same phone.
None of your phone numbers are changed every 30/60/90 days, while some of your passwords are.
My recommendation for such passwords, is to memorize a "base" password; and define a rule to increment the base password, so all you need to remember is the original password, and which number you are at, and do a mental transformation; this is far more secure than writing down the password, or picking easy to guess passwords.
eg
Password 0 helloworld0
Password 1 ifmmpxpsme1
Password 2 jgnnqyqtnf2
Password 3 khoorzruog3
Password 4 lippsasvph4
Password 5 mjqqtbtwqi5
Password 6 nkrrucuxrj6
Password 7 olssvdvysk7
Password 8 pmttwewwtl8
Password 9 qnuuxfxxum9
That's great until you have to use a different keyboard layout. Around here (CH) the keyboard may be EN-US, EN-GB, CH-FR, CH-DE or even FR-FR (which is just stupid). Y's, Z's and punctuation are best avoided.
All your bases are belong to us!
-- Knowledge is power. -- Francis Bacon
Yes, if it is bad enough. Examples:
Sp/k)]Vi5PTa
h@#FZh_\,
_HA67C_1N{vh
Of course no password is secure if you use on more than one site.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This means that most slashdot posters are safe. Seriously, the worst spelling and grammar I see online are right here amongst what should be a well-educated group of people.
Because not all systems can handle Unicode
I was under the impression that any system that could handle XML or HTML5 could handle at least the Basic Multilingual Plane of Unicode in UTF-8 encoding.
Furthermore, there are multiple valid Unicode encodings for the same character stream.
The Unicode Standard describes several canonicalization processes that can be applied before hashing the password for storage.
If grammar is relevant at all, your password should already be long enough to be pretty secure.
You must know a lot of people that share the same phone.
That I do. Many are land lines in multi-person households. And being public keys (in the SQL "primary key" sense, not the cryptographic sense), they don't change every 45 days.
Until you end up having to log in without being allowed to connect the device carrying your encrypted keychain to the Internet. This may be the case if you keep your encrypted keychain on a laptop, Wi-Fi-only tablet, or USB drive, or if your smartphone has no data coverage where you are.
In fact, even if you have a shit password (e.g., "changeme1234"), if the website limits the number of tries to 3 times a day, you're probably safe for at least a year or two.
Except from denial of service, where someone with a list of usernames he wants to attack enters those usernames with "P00-p00" as the password three times in a row. Then the legitimate owners of those accounts can't log in.
Were you also under the impression that all systems can handle XML and HTML5, and that all systems are UTF-8?
So which one do I pick? Where is your actual argument that there is a benefit to using Unicode for passwords? Most importantly: What benefit do I get if I bother? These are just a few of the questions people should be asking themselves at this point.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I also store my passwords in an encrypted keychain, but sometimes it's nice to be able to get some passwords without having to look it up. For example both iTunes and Windows RT require me to enter passwords when buying new apps or add-ons. Switching to another app to cut & paste in the password will often cancel the sale. So I memorized those passwords because it's simpler. Likewise when administrating machines at work I don't want to have to dig up my keychain just to log into the server farm, especially if I'm logging in at someone else's desktop—which won't have my keychains—to fix a toolset problem.
That's great until you have to use a different keyboard layout.
Or a different operating system which uses a different method of entering extended characters.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
For web passwords, you'd probably end up with tons of encoding errors. You don't want to have a password which if set with browser X will fail when used on browser Y.
The Tao of math: The numbers you can count are not the real numbers.
I speak English and Swedish. I find it easy to concoct "Swinglish" words and phrases that are invalid in any language yet easy for me to remember.
I think that ought to be secure.
"Let me in" and "I love you" are both correct grammar.
Indeed. So it clearly would be best if we all switched to "letiin" and "ilovesyou".
You are aware that for some keyboard layouts even the number of keys differs? And even for the others it is not for all keys trivial to decide which one is "the same" key between layouts.
The Tao of math: The numbers you can count are not the real numbers.
I usually think of a phrase, take the first letter of each word, and leetify some of the letters. "My what a lovely unicorn with no horn you have" becomes MwalUwnHuh which then becomes Mw@lUw!Huh.
My phrases are generally song lyrics, and yes I do need to write them down until I've used them 3-4 times.
I just notice that my editing made things worse ... "the others" in the second sentence means the keys which are found on both layouts.
The Tao of math: The numbers you can count are not the real numbers.
I'm sure that's already in all dictionaries.
The Tao of math: The numbers you can count are not the real numbers.
Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream.
Just take whatever is given into canonically pre-decomposed UTF8. I mean there are people using Unicode in their file system and they have no problems with this.
You are not understanding the point at all. There is no benefit to the approach, only added complexity and potential for bugs. It can only decrease security, and will never increase it. Enough said on the subject?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I agree, actually - and I do have my more frequently-used passwords memorized (e.g. my account at work; my Gmail account; my iTunes account; particular server passwords).
Heck, for accounts I regularly use it would've been hard NOT to memorize the passwords!
#DeleteChrome
Just don't be stupid, really that's it.
You can use all the password tips in the world but never use one that's restrictive.
Every restriction you add makes it that much easier to guess.
This includes grammar, there are far fewer ways to be grammatically correct than not. So I don't really understand how this got published. What's the point of proving the obvious.
Hell you can use all the tips in the world if you want, lets start.
30 days: V%w#tVmi6
60 days: V%w#I love lamp.tVmi6
90 days: passwordV%w#I love lamp.tVmi6
180 days: passwordV%w#I love lamp.tVmi6
360 days: passwordV%w#I love lamp.tVmi6 Dis_thingizgettingl0gandstuFf
Getting sick of the long ass password day: gettingl0gandstuFf lava Cheetos 2+2
If you can't tell I'm just adding stuff.
Check this one out: _letmein123qwerty45iloveyou_
Or this one: !Call now and get a free pineapple for only $19.95!
But if you force your employees to use rules like you must use 3 characters of each type. You're going to end up with half your employees or users using 111!!!QQQqqq
Allyerpa55wurdrbelong2us
I worked one place where the password must be 6 alphas and 2 digits. The issue was that some legacy systems must have 8 chars (no more) and there was a policy of 2 numbers (for security) and some legacy systems couldn't handle a password starting with a number. With a 60-day reset, everyone just picked a 6 letter word, and cycled through 01-09 or so (based on how many times you reset your password in a year, no reuse within a year, and the warnings started at 45 days, so you could use 9 in a year if you reset on the first warning, 6 if you waited). essentially a 6 character password.
Learn to love Alaska
I locked out a system account once. "forest" was the password, and I thought forrest was spelled with two r's (both are correct, one is more correct). A bit embarrassing to tell the manager I locked myself out.
Learn to love Alaska
When I had to set a password once, I had recently noticed that my wall-jack had a number on it that wasn't mine. So there it was. And if I ever forgot it, it was written right there. Anyone breaking in wouldn't have ever noticed it, but it was always written down for me.
Learn to love Alaska
Make it over 23 letters (or 24, I forget). The end. That's unhackable by anything anywhere ever. Then it can be "gorillasgorillasgorillas1" and it won't matter because nobody could ever possibly hack it.
My home WPA password works on that premise. It's not in the dictionary, not random letters and numbers either but is easy enough to spell when heard if family or a friend visiting need access.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
Dictionary attacks aren't always that useful for authentication systems that block logins on an account after a few missed attempts. However, a few stripped-down NAS nasties are set to allow infinite login attempts. It was kind of fun watching the password attempts; they were sort of half dictionary, half psychology, lots of old favourites. But they were all single words, I noticed, and not very long at that.
Do not mock my vision of impractical footwear
Yoda ask -- answers he will give?
even Something like this" could screw up a grammer based guesser .
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
It is a well known fact that choosing words you will find in a dictionary as your password is not a good idea.
It's a better idea than a single word, or name, which is what many people still do. Anyway, even if you use real words, with the English language having well over 100,000 words, a few words gives you a very, very large space. Using correct grammar cuts it down, of course. But TFA was about attacks trying billions of passwords. What kind of idiotic system allows someone to attempt to login billions of times at high speed?
Personally, I'd go for words in the inuit language(s). Inuit words are so wonderfully impossible to guess from a dictionary because of the nature of the language; consider the following example:
umiaq: a large boat - a 'wife boat'
umiarssuaq: a big wife boat - ie a ship
umiarssualivik: a place for a ship: a harbour
umiarssualivinnguaq: a small harbour
etc
Combine that with a complex grammar and the fact that the rules for spelling are somewhat uncertain, and you have the perfect passwords, easy to remember and write, hard to crack, I think.
On old phones I could tell numbers by what tone it would play, and knew if the number was right immediately.
Today, cell phone numbers are so many and varied that I just backup my contact list every once in a while.
Defining Statistics and Social Research
Can bad grammar really make your password secure?
not any longer.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream.
You've just said one thing twice in two sentences.
Ezekiel 23:20
Just exactly HOW does it decrease security? I can certainly imagine a "doesn't work at all" failure mode for such a system, but a "sort of works but security is compromised" scenario eludes me.
Ezekiel 23:20
It is "frist psot." Learn to spell correctly!
So, are you telling me, that fascinating (unreadable) short-text/sms-language has a purpose after all?! :)
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
A large space, but still an easily searchable one, given enough time, and a system that allows dictionary attacks, which many do, even though it would be easy enough to disallow it.
So why do that, when it's easy enough to use words that are still words, but not words in standard dictionaries? (i.e. names of fictional characters, words made up by the company you work for or that are specific jargon of your field, internet memes, etc.)
So why do that, when it's easy enough to use words that are still words, but not words in standard dictionaries? (i.e. names of fictional characters, words made up by the company you work for or that are specific jargon of your field, internet memes, etc.)
Because the "geekily obscure" words like that are the very first ones that will be checked. Geeks have been using words from Tolkien and such as logins and passwords from the dawn of time.I remember one guy who was mystified that his password "THX-1138" had been cracked by someone... I had a hard time not laughing.
By "public key" I meant that a phone number is a published natural key, intended for the general public to use as a key to place a voice call to a household. The opposite would be something like a Social Security number, a natural key that's not to be spread around because taxing authorities and creditors rely on it as part of proof of identity.
No I didn't. In UTF-8, which is one internal representation, there are multiple/different valid encodings for the same streams. You simply didn't understand what was written.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Exactly the point! In the real world software is implemented by humans, and sometimes even that which should be obvious eludes them ;-) When you implement additional complexity you increase the chance to introduce an exploitable bug into the system. Again, complexity is the enemy of security. I'm guessing you don't write software, but if you do then you really should read up on secure programming.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I get FIOS for $40/month, adding a phone would double that
For someone with fiber, cable, or DSL Internet access, a VoIP line from magicJack can cost less than $2 per month. That's still "nearly free" to me, (backpedals slightly) even if it isn't offered by the phone company. To me, magicJack and other similar VoIP providers are still a "land line" in the sense of being delivered over a wired network and assigning a phone number to a household rather than a single person.
Untranslated, Vogon poetry.
the only problem with this, is those damn sites that have a MAXIMUM password length. WTF is with that? assholes.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Point me to where in the SQL specification it mentions whether a key is widely known or not.
It's not in the SQL specification; it's in the business rules that a developer implements using SQL.
And as far as I'm aware, there's no directory for mobile numbers.
There's a paper directory for land lines, and there's Facebook for mobile numbers of Facebook members. But more generally, there's a reason for someone to publish a phone number if he wants to be contacted. There isn't much reason to publish a Social Security number except perhaps as a publicity stunt for an identity theft protection business that one runs.
Finally, does the phrase "ex directory" ring a bell?
Traditionally, being "ex directory" has cost more per month. And people who want to be contacted publish a phone number even if their carrier does default to "ex directory".
But I don't see any sort of *vulnerable* complexity. Each Unicode string maps uniquely to one byte representation (say, UTF-8), which gets hashed. Any problem with the security of this scenario is the same as the corresponding problem of hashing an ASCII string. And yes, I *do* program, and I *do* like things simple. The thing is, a UTF-8 coder *is* simple.
Ezekiel 23:20
No I didn't. In UTF-8, which is one internal representation, there are multiple/different valid encodings for the same streams.
Care to elaborate? I simply can't see how a single codepoint sequence can be encoded into multiple different byte sequences. With UTF-16 and UTF-32, you at least can point to problems with endianness, but with UTF-8?
Ezekiel 23:20
Random characters of upper lower case and numeric can be memorized by anyone up to 10 or 12 characters. These make the best passphrases. Simply use a program to randomly generate sets of 10 random values for you and select one.
Second, these passphrases should be used to unlock the set of keys you use for login. Login passwords to websites should not be something inside your head, because there is no possiblity you can ever memorize strong enough passwords for 20 or more websites. Passwords to website logins should be 64 random characters making any brute force attempts useless. Since website logins no longer use passwords in your head, you will not be able to login to say gmail from someone elses computer. Good! It is a bad security practice to type passwords into any device you do not own.
The real issue with passwords is that you need so many of them. People make and use weak passwords because there is no possiblity to remember a multitude of them. Or worse, they have a limited set of say 3 good passwords that they reuse across multiple 3rd party sites. How dangerous! The real issue with passwords is that websites allow you to type them from the keyboard. Websites should switch to a common mechanism of using local system keychaining software. Firefox is a good example of this, where the passwords are stored locally and strongly encrypted with a locally entered passphrase. The only part missing is for websites to stop allowing users to generate the passwords and force them to be long and strong random values generated within firefox itself.
A) There is no other kind of complexity but potentially vulnerable complexity. B) You don't understand the basics of secure programming. As I said, you need to learn about it. C) If you like things simple, then you don't seek to implement solutions that don't solve an actual problem
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You are right that I should have said any other UTF-* but UTF-8. That being said, you need simply google around to find a hundred reasons why it is a bad idea, including this from Wikipedia: A UTF-8 parser that is not compliant with current versions of the standard might accept a number of different pseudo-UTF-8 representations and convert them to the same Unicode output. This provides a way for information to leak past validation routines designed to process data in its eight-bit representation You can say Oh, but mine will be compliant! all day, but the point is that it might or might not be, even if you think it is. Again, it is a case of nothing ventured, nothing lost. You can only possibly create a problem, and never solve one by doing it, ergo it is a truly horrible idea.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You can say Oh, but mine will be compliant! all day, but the point is that it might or might not be, even if you think it is.
It's what, ten lines of code? If you're attempting to write a secure software system and can't write even just ten lines of code correctly, you're screwed up anyway.
Ezekiel 23:20
If you think it is ten lines of code then you truly are incompetent.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun