Every year a variety of technologies emerge that claim to be a replacement for all the bothersome passwords we struggle to remember. If Google has its way, we might even all be wearing password-rings on our fingers one day.
Yet, try as they might, aging password-based systems are still used for most online services — and unfortunately, cracking algorithms are only getting better. Recently, security researcher Ashwini Rao and her colleagues at Carnegie Mellon University have developed such an algorithm. This algorithm’s particular speciality lies in cracking long passwords which make grammatical sense, even if they contain number and symbol substitutions.
Existing password cracking algorithms work by combining, rearranging and substituting phrases, words and letters resulting in the accurate guessing of passwords such as “cats”, “catscats” or “catsstac”. Rao’s new algorithm uses natural language processing to combine words which enables it to crack long passwords that make grammatical sense much faster than previous methods. With this new approach, passwords such as “Ihave3cats” or “Th3r3canonlyb3#1!” can actually be less secure than shorter nonsensical passwords.
Rao’s research showed that 10% of the long passwords cracked by their new grammar-aware algorithm withstood established algorithms such as John the Ripper and Hashcat. The team based further estimations on systems able to make 33 billion guesses every second which can be built for less than $3,000 USD — that’s a lot of passwords.
The paper suggests that, in light of this new approach to password cracking, current password policies may actually be encouraging weaker passwords.
“(…) passphrase policies such as ‘choose a password that contains at least 15 characters and at least 4 words with spaces between the words’ may allow weaker passphrases unless they consider user behavior and effect of structure.” -Effect of Grammar on Security of Long Passwords
No one likes having to remember passwords, or having to constantly change them, but taking note of changes such as this in the password landscape is good practice if one wants to keep their personal information and, in turn, their identity and finances protected online. So next time you’re asked to enter a new password, do yourself a favour and leave proper grammar out of it.
Source: New Scientist, Image credit: flickr.com/intelfreepress