Multi-Word Pass-Phrases Not As Secure As We Once Thought

Posted on Mar 14 2012 - 9:15am by Robby S.

Multi-Word Password Security

Remember the push to make sure your password was a multi-word pass-phrase under the premise that it was secure as a long string of random characters?  Some smart kids at Cambridge University are suggesting otherwise.  If your pass-phrase is comprised of standard dictionary grade words then it is ultimately vulnerable to a dictionary style attack.  Sure three dictionary words are better than one, but it just takes a tad longer.

The method? The researchers took over 100,000 phrases and tested them on Amazon’s PayPhrase registration page. Because the page prohibits the use of any pass-phrase that has been used by another user, it’s possible to identify which pass-phrases are in use. PayPhrases are used to authorize shipping to specific addresses, and as such multiple PayPhrases can be associated with an Amazon account. Though a four-digit PIN is required, no username is needed in the process, hence the need for the pass-phrases to be unique.

The researchers found that film and book titles were effective in identifying pass-phrases in use – information readily available in list-form online suitable for dictionary-style attacks. The researchers used Wikipedia and IMDB lists, as well as slang phrases from Urban Dictionary. Researchers found users tended to favor simple two-word phrases common in natural language, though there is evidence that some users seek out seemingly-random pairings. The researchers also claim that there are “rapidly diminishing returns” for longer pass-phrases containing three or four words.

The report concludes that multi-word pass-phrases do provide a security-boost compared to the “weakest selections” from under 10, to over 20 bits of security. The weakness lies in users’ general inability to choose truly random words, influenced as we are by natural language patterns. Even four-word pass-phrases “probably” provided less than 30 bits of security, which the researchers deem insufficient against offline attack.


Leave A Response