[ISN] Passphrases only marginally more secure than passwords because of poor choices

From: InfoSec News <alerts_at_private>
Date: Thu, 15 Mar 2012 02:22:44 -0500 (CDT)
http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars

By Dan Goodin
Ars Technica
March 14, 2012

Passwords that contain multiple words aren't as resistant as some 
researchers expected to certain types of cracking attacks, mainly 
because users frequently pick phrases that occur regularly in everyday 
speech, a recently published paper concludes.

Security managers have long regarded passphrases as an easy-to-remember 
way to pack dozens of characters into the string that must be entered to 
access online accounts or to unlock private encryption keys. The more 
characters, the thinking goes, the harder it is for attackers to guess 
or otherwise crack the code, since there are orders of magnitude more 
possible combinations.

But a pair of computer scientists from Cambridge University has found 
that a significant percentage of passphrases used in a real-world 
scenario were easy to guess. Using a dictionary containing 20,656 
phrases of movie titles, sports team names, and other proper nouns, they 
were able to find about 8,000 passphrases chosen by users of Amazon's 
now-defunct PayPhrase system. That's an estimated 1.13 percent of the 
available accounts. The promise of passphrases' increased entropy, it 
seems, was undone by many users' tendency to pick phrases that are 
staples of the everyday lexicon.

"Our results suggest that users aren't able to choose phrases made of 
completely random words, but are influenced by the probability of a 
phrase occurring in natural language," researchers Joseph Bonneau and 
Ekaterina Shutova wrote in the paper (PDF), which is titled "Linguistic 
properties of multi-word passphrases." "Examining the surprisingly weak 
distribution of phrases in natural language, we can conclude that even 
4-word phrases probably provide less than 30 bits of security which is 
insufficient against offline attack," the paper says.

[...]


______________________________________________________________________________
ISSMP, CISSP, and Certified Ethical Hacker training with Expanding Security
gives the best training and support.  Get a free live class invite weekly.
Best program, best price. http://www.ExpandingSecurity.com/PainPill
Received on Thu Mar 15 2012 - 00:22:44 PDT

This archive was generated by hypermail 2.2.0 : Thu Mar 15 2012 - 00:17:49 PDT