[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Passphrases only marginally more secure than passwords because of poor choices

To: isn@xxxxxxxxxxxxxxx
Subject: [ISN] Passphrases only marginally more secure than passwords because of poor choices
From: InfoSec News <alerts@xxxxxxxxxxxxxxx>
Date: Thu, 15 Mar 2012 02:22:44 -0500 (CDT)
List-archive: <http://infosecnews.org/pipermail/isn>
List-help: <mailto:isn-request@infosecnews.org?subject=help>
List-id: InfoSec News <isn.infosecnews.org>
List-post: <mailto:isn@infosecnews.org>
List-subscribe: <http://infosecnews.org/mailman/listinfo/isn>, <mailto:isn-request@infosecnews.org?subject=subscribe>
List-unsubscribe: <http://infosecnews.org/mailman/options/isn>, <mailto:isn-request@infosecnews.org?subject=unsubscribe>
Sender: isn-bounces@xxxxxxxxxxxxxxx
User-agent: Alpine 2.02 (DEB 1266 2009-07-14)

http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars

By Dan Goodin
Ars Technica
March 14, 2012

Passwords that contain multiple words aren't as resistant as someresearchers expected to certain types of cracking attacks, mainlybecause users frequently pick phrases that occur regularly in everydayspeech, a recently published paper concludes.

Security managers have long regarded passphrases as an easy-to-rememberway to pack dozens of characters into the string that must be entered toaccess online accounts or to unlock private encryption keys. The morecharacters, the thinking goes, the harder it is for attackers to guessor otherwise crack the code, since there are orders of magnitude morepossible combinations.

But a pair of computer scientists from Cambridge University has foundthat a significant percentage of passphrases used in a real-worldscenario were easy to guess. Using a dictionary containing 20,656phrases of movie titles, sports team names, and other proper nouns, theywere able to find about 8,000 passphrases chosen by users of Amazon'snow-defunct PayPhrase system. That's an estimated 1.13 percent of theavailable accounts. The promise of passphrases' increased entropy, itseems, was undone by many users' tendency to pick phrases that arestaples of the everyday lexicon.

"Our results suggest that users aren't able to choose phrases made ofcompletely random words, but are influenced by the probability of aphrase occurring in natural language," researchers Joseph Bonneau andEkaterina Shutova wrote in the paper (PDF), which is titled "Linguisticproperties of multi-word passphrases." "Examining the surprisingly weakdistribution of phrases in natural language, we can conclude that even4-word phrases probably provide less than 30 bits of security which isinsufficient against offline attack," the paper says.


[...]


______________________________________________________________________________
ISSMP, CISSP, and Certified Ethical Hacker training with Expanding Security
gives the best training and support.  Get a free live class invite weekly.
Best program, best price. http://www.ExpandingSecurity.com/PainPill

Prev by Date: [ISN] News International security chief arrested in phone hacking case
Next by Date: [ISN] Victims of TRICARE data theft report financial fraud
Previous by thread: [ISN] News International security chief arrested in phone hacking case
Next by thread: [ISN] Victims of TRICARE data theft report financial fraud
Index(es):
- Date
- Thread