Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Passphrases only marginally more secure than passwords because of poor choices

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 15 Mar 2012 02:22:44 -0500 (CDT)
http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars

By Dan Goodin
Ars Technica
March 14, 2012
Passwords that contain multiple words aren't as resistant as some researchers expected to certain types of cracking attacks, mainly because users frequently pick phrases that occur regularly in everyday speech, a recently published paper concludes.
Security managers have long regarded passphrases as an easy-to-remember way to pack dozens of characters into the string that must be entered to access online accounts or to unlock private encryption keys. The more characters, the thinking goes, the harder it is for attackers to guess or otherwise crack the code, since there are orders of magnitude more possible combinations.
But a pair of computer scientists from Cambridge University has found that a significant percentage of passphrases used in a real-world scenario were easy to guess. Using a dictionary containing 20,656 phrases of movie titles, sports team names, and other proper nouns, they were able to find about 8,000 passphrases chosen by users of Amazon's now-defunct PayPhrase system. That's an estimated 1.13 percent of the available accounts. The promise of passphrases' increased entropy, it seems, was undone by many users' tendency to pick phrases that are staples of the everyday lexicon.
"Our results suggest that users aren't able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language," researchers Joseph Bonneau and Ekaterina Shutova wrote in the paper (PDF), which is titled "Linguistic properties of multi-word passphrases." "Examining the surprisingly weak distribution of phrases in natural language, we can conclude that even 4-word phrases probably provide less than 30 bits of security which is insufficient against offline attack," the paper says. 

[...]


______________________________________________________________________________
ISSMP, CISSP, and Certified Ethical Hacker training with Expanding Security
gives the best training and support.  Get a free live class invite weekly.
Best program, best price. http://www.ExpandingSecurity.com/PainPill
Previous By Date Next
Previous By Thread Next

Current thread: