By now, everyone knows the basic rules to creating a strong password — use a mix of upper-case and lower-case letters, throw in numbers and special characters, and of course, make it as long as possible. All those rules might be for naught, however, if your password has any sort of grammatical structure.
New research from Carnegie Mellon University’s Ashwini Rao and colleagues has resulted in analgorithm that, presumably for the first time, places a specific emphasis on incorporating the rules of grammar in its attempts to crack a user’s password. Specifically, the algorithm tackles the increasing trend of very long passwords, usually in the form of a complete sentence.
So for example, the password “IHateMyJob!” could be guessed much more easily than “HateMyIJob!” even though many password-busting algorithms would treat both of those passwords as equal. But according to Rao, even password like “IHatesMyJob!” would be more secure, simply because it throws a wrench in the works by not following the proper rules of grammar. Those who do incorporate standard grammar, though, are providing a perfectly mapped gateway through Rao’s algorithm,
According to Rao’s analysis of nearly 1500 passwords, 18% of users created passwords that contain grammatical structure. If that is representative of today’s entire password landscape, that is a very significant discovery. In fact, of all the passwords Rao’s algorithm was able to crack, 10% of them would have been uncrackable by conventional algorithms.
This kind of puts the entire mentality of “longer passwords are better” into question. If the future of password cracking takes a step in Rao’s direction, it would be more secure to have a six-character set of jumbled letters and numbers than to have a 20-character password that has grammatical meaning. Rao also cautions against using things like street addresses and URLs which, even though they provide long and varied character strings, may soon be among the easiest for hackers to crack.