60-Second Science

Good Grammar Makes Bad Password

A grammatically correct textual password is easier for algorithms to crack than one that with bad grammar. Christopher Intagliata reports

When you think up a password for yet another online account, longer is better, right? Well, that's true if your password is a string of random numbers, letters and symbols. But if you use a memorable phrase, as some sites recommend, your super-long password could be twice as easy to crack, assuming the password cracker knows grammar.

Researchers created a grammar-smart algorithm and set it loose on 144 passwords, each a phrase at least 16 characters long. Two-and-a-half-trillion guesses later, it had cracked a quarter of them. And the algorithm decoded a dozen passwords state-of-the-art crackers could not. The researchers are presenting their program at the Conference on Data and Application Security and Privacy, or CODASPY. [Ashwini Rao, Birendra Jha and Gananand Kini, Effect of Grammar on Security of Long Passwords]

The best password crackers can guess 33 billion times a second. Using standard grammar cuts down the number of alphanumeric possibilities—and the time it takes to crack your password. Avoid pronouns and verbs, the researchers say. They're easy to guess because they're few in number, compared to adjectives and nouns. For example, "Sheblindedmewithscience" is a weaker password than "threeblindmicerhyme." See how the hackers run.

—Christopher Intagliata

[The above text is a transcript of this podcast.]

Rights & Permissions
Share this Article:


You must sign in or register as a member to submit a comment.

Give a Gift &
Get a Gift - Free!

Give a 1 year subscription
as low as $14.99

Subscribe Now! >


Email this Article