Bad Grammar Make Bestest Password, Research Say

An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"

Certainly

[vAltyR]

There are many more ways to have bad grammar than there are to have good grammar.

Re:Certainly

[davester666]

In other news, making spelling mistakes defeats a dictionary attack.

Because by spelling the words wrong, they no longer appear in the set of words known as "the dictionary".

Re:Certainly

[mwvdlee]

Unless those dictionaries contain common misspellings, which they probably already do.

Re:Certainly

[AmiMoJo]

It's actually fairly easy to do algorithmically, in the same way many password crackers already try common number/letter replacements (pa55w0rd), adding single digits and dates to the end of dictionary words, capitalizing the first letter or every other letter etc. Just addend -ed and -ing to every word, drop silent k's, reverse i and e (e.g. recieve) and so forth.

Re:Certainly

[Cryacin]

canIhazzhorzeburgerz

Great. Now I ahve to change my pssaword againz.

Re:Certainly

Well, if we didn't say it, they'd all make their passwords "password", their own first name, or some other amazingly simple word.

They always glaze over when you try to explain strong passwords. No matter what you tell them, you can always sit down at their desk and say "what's your password?", just to find out it's "Password1" or "1234567A"

For everything outside of my place of work, I use a password safe program and (if I can) at least a 42 character password using the largest possibly set, generated randomly.
At work, where I'm not allowed to use a password safe and am required to memorize no fewer than 30 passwords, most of which have to be updated at least monthly, and cannot use any password I've used in the last 6 months.... my password is my first name and last initial, followed by a number which is how many times I've had to reset it. Yes, it's weak. No, I really don't give a shit. They drove me to this point with their dumbass fucking password policies and I've got better things to do with my time.

The reason why my eyes glaze over is because I'm having visions of murdering your stupid fucking ass in the parking lot after work. If you were worth even half a shit at your job you'd never need to ask my password in the first place.

Of coarse

[ArcadeMan]

Shekuritee bai aubskureeti.

Re:Of coarse

[sumdumass]

security by obscurity.

And I don't agree with it necessarily being a bad thing unless its the only approach taken. As a layer, it increases the effectiveness of other security.

Re:Of coarse

[93+Escort+Wagon]

It's rapidly becoming apparent that many Slashdotters don't understand the difference between grammar and spelling.

Re:Of coarse

[davidwr]

It's rapidly becoming apparent that many Slashdotters don't understand the difference between grammar and spelling.

Gram are in gram crackers.
Spelling your drink makes a mess.

Spelling your gram crackers makes a mess two but it's not as messie.

Re:obvisouly

[Dexter+Herbivore]

I was going to post "frist!" but that's my password.

Corollary

[eksith]

Entering wrong infromation for password reminders / security questions.

Re:Corollary

[petteyg359]

My typical password reminder is "Fuck you." Good luck figuring out what my password is with that hint :)

Re:Corollary

[rubycodez]

yourplaceormine,bitch?

Re:Corollary

[jones_supa]

Entering wrong infromation for password reminders / security questions.

My opinion is that password hints and security questions are really just a bad idea which websites should possibly stop to use completely. They can easily ruin the whole security even if your password itself is robust.

Article is very light on details

[parallel_prankster]

Are there infinite ways to screw grammar while creating password? I would think there are certain patterns in which people mis-use grammar. I would imagine though that at some point if every one started using bad grammar styles for constructing passwords, that those patterns would become identifiable and then someone would put together a password cracker that would deal with poor-grammar-filled passwords as well right? I couldn't find the exact paper to read but the example on the website "ihave3cats" seems to be a like a language thing that can be identified at some point by some urban dictionary reader!

Re:Article is very light on details

[McGruber]

Are dere infinite ways t'screw grammar while creatin' passwo'd? ah' would dink dere are certain patterns in which sucka's mis-use grammar. Ah be baaad... ah' would imagine dough dat at some point if every one started usin' bad-ass grammar styles fo' constructin' passwo'ds, dat dose patterns would become identifiable and den someone would put togeda' a passwo'd cracka' dat would deal wid poo'-grammar-filled passwo'ds as sheeit right? ah' couldn't find da damn exact sheet t'read but da damn example on de website "igots'3cats" seems t'be some likes some language wahtahmellun dat kin be identified at some point by some urban dicshunary eyeballer. Right On!

Re:Article is very light on details

[mysidia]

It would be better to have no grammar structure at all in passwords, good or bad. Select a random assortment of words, not words that can be strung together using conventional grammar rules, or even distortions of conventional grammar rules.

And transform any words in such a way, that no word used is a legitimate word.

3hav-ayekatkitt-ees

Re:My question is this:

[eksith]

Easier than sanitizing correctly. Honestly, it's just laziness. There are also some places that actually send you the bloody password from the database when you enter an email (because that's also easier), instead of salt+hashing and just resetting it. And a unicode password would cause issues in the carefully crafted HTML layout of reset email. These are actual excuses I was given by a project manager. He doesn't work with us anymore.

Re:Randomized passwords are the best

[bp+m_i_k_e]

None of your phone numbers are changed every 30/60/90 days, while some of your passwords are.

Re:Randomized passwords are the best

[ArcadeMan]

I don't memorize phone numbers, I memorize the 3x4 grid pattern required to dial it.

Re:My question is this:

[CodeheadUK]

A paranoid colleague of mine composed passwords with a sprinkling of extended chars. He entered the whole thing on the numeric keypad with ALT held down.

I've no idea what his password(s) were, but they caused quite a few badly written apps to explode in a spectacular shower of exceptions and unhandled input errors.

Re:Randomized passwords are the best

[Sique]

Actually, no. Phone numbers contain much context (e.g. area code), and they have a very limited alphabet (just the numbers 0-9). A random password can use a much larger alphabet and contains much less context. So, memorizing a ten character password is definitely harder than a ten digit phone number.

If Music Be The Food Of Love, Log In

[the+monolith]

Instead of using words, how about playing the keyboard as if it were a piano (or any other keyboard-like instrument)

Here is an example of a musical login: pvy89pvvv[890[]vv

For this example, position your right hand with the thumb on the 'v' key, then play the sequence as if they were notes, then listen to C.P.E. Bach - Minuet In G Major for what it should really sound like.

If you like impressive music, try: uppvyuvyyyyuyvvyuvyuppvyuvyyyyuyvvyuyv
Leo Arnaud - Buglers Dream

Re:Randomized passwords are the best

[maxwells_deamon]

I don't have a different phone number for every person I call. People I call do not make up rules like my phone number must be at least x characters long, must have a special character in it, can not have a special character in it, must not begin with an upper case letter, must begin with a character, must begin with an emoticon ;-)
and I don't know what other crap they are about to come up with...

Re:Randomized passwords are the best

[houghi]

Perhaps not mine, but all the women I meet have a new phone number within 24 hours.

Re:My question is this:

[Zero__Kelvin]

"Why don't we allow unicode passwords?"

Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream. In other words, that would be a very bad idea unless you are in an environment where only company approved systems, set up by competent system administrators, are allowed to log in, in which case it would just be a bad idea sans the "very". Even then it is of little value, since a well chosen password still has plenty of entropy, and there is no need to add complexity to the auth system (complexity is the enemy of security.)

Lockout DOS

[tepples]

In fact, even if you have a shit password (e.g., "changeme1234"), if the website limits the number of tries to 3 times a day, you're probably safe for at least a year or two.

Except from denial of service, where someone with a list of usernames he wants to attack enters those usernames with "P00-p00" as the password three times in a row. Then the legitimate owners of those accounts can't log in.

Re:My question is this:

[Zero__Kelvin]

You are not understanding the point at all. There is no benefit to the approach, only added complexity and potential for bugs. It can only decrease security, and will never increase it. Enough said on the subject?

Re:"Can bad grammar make your password secure?"

[darkonc]

You realize, of course, that those passwords compile properly in perl?