Bad Grammar Make Bestest Password, Research Say

An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"

Certainly

[vAltyR]

There are many more ways to have bad grammar than there are to have good grammar.

Re:Certainly

[mwvdlee]

Unless those dictionaries contain common misspellings, which they probably already do.

Of coarse

[ArcadeMan]

Shekuritee bai aubskureeti.

Re:obvisouly

[Dexter+Herbivore]

I was going to post "frist!" but that's my password.

Corollary

[eksith]

Entering wrong infromation for password reminders / security questions.

Re:Corollary

[jones_supa]

Entering wrong infromation for password reminders / security questions.

My opinion is that password hints and security questions are really just a bad idea which websites should possibly stop to use completely. They can easily ruin the whole security even if your password itself is robust.

Article is very light on details

[parallel_prankster]

Are there infinite ways to screw grammar while creating password? I would think there are certain patterns in which people mis-use grammar. I would imagine though that at some point if every one started using bad grammar styles for constructing passwords, that those patterns would become identifiable and then someone would put together a password cracker that would deal with poor-grammar-filled passwords as well right? I couldn't find the exact paper to read but the example on the website "ihave3cats" seems to be a like a language thing that can be identified at some point by some urban dictionary reader!

Re:Article is very light on details

[McGruber]

Are dere infinite ways t'screw grammar while creatin' passwo'd? ah' would dink dere are certain patterns in which sucka's mis-use grammar. Ah be baaad... ah' would imagine dough dat at some point if every one started usin' bad-ass grammar styles fo' constructin' passwo'ds, dat dose patterns would become identifiable and den someone would put togeda' a passwo'd cracka' dat would deal wid poo'-grammar-filled passwo'ds as sheeit right? ah' couldn't find da damn exact sheet t'read but da damn example on de website "igots'3cats" seems t'be some likes some language wahtahmellun dat kin be identified at some point by some urban dicshunary eyeballer. Right On!

Re:My question is this:

[eksith]

Easier than sanitizing correctly. Honestly, it's just laziness. There are also some places that actually send you the bloody password from the database when you enter an email (because that's also easier), instead of salt+hashing and just resetting it. And a unicode password would cause issues in the carefully crafted HTML layout of reset email. These are actual excuses I was given by a project manager. He doesn't work with us anymore.

Re:Randomized passwords are the best

[bp+m_i_k_e]

None of your phone numbers are changed every 30/60/90 days, while some of your passwords are.

Re:Randomized passwords are the best

[ArcadeMan]

I don't memorize phone numbers, I memorize the 3x4 grid pattern required to dial it.

Re:My question is this:

[CodeheadUK]

A paranoid colleague of mine composed passwords with a sprinkling of extended chars. He entered the whole thing on the numeric keypad with ALT held down.

I've no idea what his password(s) were, but they caused quite a few badly written apps to explode in a spectacular shower of exceptions and unhandled input errors.

Re:Randomized passwords are the best

[Sique]

Actually, no. Phone numbers contain much context (e.g. area code), and they have a very limited alphabet (just the numbers 0-9). A random password can use a much larger alphabet and contains much less context. So, memorizing a ten character password is definitely harder than a ten digit phone number.

If Music Be The Food Of Love, Log In

[the+monolith]

Instead of using words, how about playing the keyboard as if it were a piano (or any other keyboard-like instrument)

Here is an example of a musical login: pvy89pvvv[890[]vv

For this example, position your right hand with the thumb on the 'v' key, then play the sequence as if they were notes, then listen to C.P.E. Bach - Minuet In G Major for what it should really sound like.

If you like impressive music, try: uppvyuvyyyyuyvvyuvyuppvyuvyyyyuyvvyuyv
Leo Arnaud - Buglers Dream

Re:Randomized passwords are the best

[maxwells_deamon]

I don't have a different phone number for every person I call. People I call do not make up rules like my phone number must be at least x characters long, must have a special character in it, can not have a special character in it, must not begin with an upper case letter, must begin with a character, must begin with an emoticon ;-)
and I don't know what other crap they are about to come up with...

Re:Randomized passwords are the best

[houghi]

Perhaps not mine, but all the women I meet have a new phone number within 24 hours.

Re:My question is this:

[Zero__Kelvin]

"Why don't we allow unicode passwords?"

Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream. In other words, that would be a very bad idea unless you are in an environment where only company approved systems, set up by competent system administrators, are allowed to log in, in which case it would just be a bad idea sans the "very". Even then it is of little value, since a well chosen password still has plenty of entropy, and there is no need to add complexity to the auth system (complexity is the enemy of security.)