Jump to content

Multi Word Passphrases Not As Secure As You Might Think

Infiltrator

By Infiltrator
in Security

 Share

Recommended Posts

Infiltrator Newbie

Infiltrator

Posted
Posted

Cambridge University Study Says That Multi Word Passphrases Not As Secure As You Might Think

The research paper, by Joseph Bonneau and Ekaterina Shutova, studied data taken from the now-defunct Amazon PayPhrase system (which was only availbale in the US) to learn how people choose passphrases in general. The pair then set about trying to guess the passphrases using a dictionary attack based on movie titles, sports team names, and other types of proper nouns taken from Wikipedia. Using this method the researchers cracked about 8,000 phrases.

http://www.livehacking.com/2012/03/19/cambridge-university-study-says-that-multi-word-passphrases-not-as-secure-as-you-might-think/

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

The same argument could be made for any password based on words from a given language, if you make a dictionary with those phrases or strings in them then you will be able to brute force the account.

Change the space to a * between words and the dictionary becomes useless.

I've heard some testers have dictionaries which contain famous quotes, phrases and even song lyrics, I've rarely found that going beyond a mix of the Rockyou list and the Websters dictionary is necessary, one of the words or a simple mangle of it will get you in most places.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
  • Author
Posted

Change the space to a * between words and the dictionary becomes useless.

That's exactly what I do, I always place special characters in between the phrases and words.

Link to comment
Share on other sites
Guest Deleted_Account

Guest Deleted_Account

Posted
Posted

The same argument could be made for any password based on words from a given language, if you make a dictionary with those phrases or strings in them then you will be able to brute force the account.

Change the space to a * between words and the dictionary becomes useless.

I've heard some testers have dictionaries which contain famous quotes, phrases and even song lyrics, I've rarely found that going beyond a mix of the Rockyou list and the Websters dictionary is necessary, one of the words or a simple mangle of it will get you in most places.

I have websters,quotes, songs, phrases and so forth. Last I checked it was a 1.3GB file. Mostly from scapping words off of sites like wikipedia. I also added in those leaked passwords from the anon/lulzsec attacks. Pretty much gets in to anything (that an average person would use).

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
  • Author
Posted (edited)

I have websters,quotes, songs, phrases and so forth. Last I checked it was a 1.3GB file. Mostly from scapping words off of sites like wikipedia. I also added in those leaked passwords from the anon/lulzsec attacks. Pretty much gets in to anything (that an average person would use).

There are tools like CeWL, from http://www.digininja.org/projects_general.php that you can use to spider through an entire website and built a list of words it finds. Very handy tool to have, one of my favorites.

Edited by Infiltrator
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...