Can bad grammar make for a better password?


One of the best places to find the most egregious examples of poor grammar and basically anything devoid of human decency happens to be the comments section of YouTube videos, news articles, blog posts, or anything you can comment on. However, those who are inept at the English language may have one over those who pay attention to their grammar and spelling—passwords with poor grammar may be the toughest to crack according to this New Scientist article.

One of the most common methods of obtaining passwords is brute forcing, which goes through phrases or words in a dictionary, and uses programs and algorithms such as John the Ripper and Hashcat. While cracking programs make multiple guesses based on each word in a database, putting in “catscats” and “catsstac” as well as just the word “cats”, none of the programs make the jump to combine multiple words or phrases in a way that makes grammatical sense, like “Ihave3cats”, for instance. Better computers can blast through passwords in mere seconds—as many as 33 billion per second. However, they can’t crack human error, which is what Carnegie Mellon University researcher Ashwini Rao and her team plan to do.

“Our analysis of a set of 1434 passwords of 16 characters or more from a published study shows that more than 18% of users voluntarily chose passwords that contain grammatical structures. Each of these passwords contains a sequence of two or more dictionary words. An example is ‘abiggerbetterpassword’ that contains the grammatical structure ‘Determiner Adjective Adjective Noun’,” said Rao and her team. Some of the most common passwords? Names of spouses, children and birthdays seem to head the list, easy to remember things such as “qwerty” and “1234”, and there are even people who use the blatantly obvious “password”. Another finding of Rao’s is that longer passwords don’t necessarily make them stronger passwords. “Further, because of structure, the strength of the passphrase does not increase uniformly with the length—i.e. a longer passphrase is not necessarily stronger than a shorter passphrase.”

You can read Rao’s paper here, which will be presented at the Conference on Data and Application Security and Privacy in San Antonio, Texas, next month.