Password Security: Being Bad At Grammar Means You’re A Genius When It Comes To Security.

If you use any type of computer encryption, including AlertBoot Mobile Security to secure your laptop computer, passwords are a way of life.  So, when I heard that researchers at Carnegie Mellon University were able to crack long “passwords” because they were grammatically correct, it caught my interest.

On the one hand, it’s a tremendous achievement.  On the other, it’s not surprising: the use of dictionary words is discouraged, so why would grammatically correct sentences be any different?

10% of Long Passwords Cracked

According to, Ashwini Rao and other CMU researchers were able to make,

light work of cracking long passwords which make grammatical sense as a whole phrase, even if they are interspersed with numbers and symbols. Rao’s algorithm makes guesses by combining words and phrases from password-cracking databases into grammatically correct phrases.

The twist here is that the program doesn’t just use words or phrases found in a list (and the usual tricks of say, repeating the word or using palindromes for “extra security”), but that it will combine words in a grammatically-sound way.  An example that was given is “Ihave3cats”, which would take a hacker some time to generate if he (or she) doesn’t have a database of pets and numbers handy.  For example, what if the password is “Ihave2turtlesand1snakeand1dog”?  Again, more work for hackers…unless they can get their hands on the CMU algorithm.

Of course, it’s kind of hard to say that it’s “light work.”  After all, they only managed to crack 10% of passwords.  On the other hand, it’s 10% of passwords that (potentially) no other software could have cracked to date.

Will Bad Grammar Really Help?

One way to combat “dictionary words” when used as passwords is to misspell them.  So, instead of “password” being used as a password, you could use “pasword”, “passwrd”, “passw0rd” (with a zero), or even “pa$$word”.  If capital letters are considered different from lowercase letters (i.e., “Password” and “password” are different passwords), then these also contribute to better security.  After all, even mediocre English teachers will point out that “passWord” is not the right way to spell (write?) the word.

The thing is, hackers have become wise to all of this (after all, they’re the ones who started it), so misspelling dictionary words doesn’t really represent much security.  Generally speaking, length does.  However, that comes with a caveat as well.  Before CMU’s findings, it was recommended that long passwords (or, more accurately, passphrases) not be direct quotes.  For example, studies on long passwords showed that famous lines from Shakespeare, Dickens, Twain, etc. could lead to security breaches.

Bad grammar could lead to better security.  Instead of “It was the best of times, it was the worst of times” as a passphrase (hey, look, a special character!), one could use a variation such as “It be the best of times, it be the worst of times.”  However, hackers are bound to compensate for such bad grammar at some point.

It might be a better idea to take some hints from managed encryption software.  Cryptography works because of “randomness.”  Likewise, why not apply a little randomness to passphrases?  Not only can you have bad grammar, you could make it nonsensical, meaning-wise.  “It was the purple of times, it was the azimuth of zebra.”

What does it mean?  Who the heck knows?  And, as long as it’s a secure passphrase and you remember it effortlessly, does it matter what it means?

Related Articles and Sites:


Comments (0)

Let us know what you think