Abstract
We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon’s registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Andersen, Ø., Nioche, J., Briscoe, E.J., Carroll, J.: The BNC Parsed with RASP4UIMA. In: Proceedings of LREC 2008 (2008)
Bard, G.V.: Spelling-Error Tolerant, Order-Independent Pass-Phrases via the Damerau-Levenshtein String-Edit Distance Metric. In: ACSW 2007: Proceedings of the 5th Australasian Symposium on ACSW Frontiers, vol. 68, pp. 117–124. Australian Computer Society, Inc., Darlinghurst (2007)
Bonneau, J., Just, M., Matthews, G.: What’s in a Name? Evaluating Statistical Attacks against Personal Knowledge Questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proceedings of the 9th Workshop on the Economics of Information Security (2010)
Bonneau, J., Preibusch, S., Anderson, R.: A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)
Brantz, T., Franz, A.: The Google Web 1T 5-gram corpus. Technical Report LDC2006T13, Linguistic Data Consortium (2006)
Briscoe, T., Carroll, J., Watson, R.: The second release of the RASP system. In: COLING-ACL 2006: Proceedings of the COLING/ACL on Interactive Presentation Sessions, pp. 77–80. Association for Computational Linguistics, Stroudsburg (2006)
Church, K.W., Hanks, P.: Word association norms, mutual information, and lexicography. Computational Linguistics 16, 22–29 (1990)
Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: If We’re So Smart, Why Are We Still Using Them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009)
Jakobsson, M., Akavipat, R.: Rethinking Passwords to Adapt to Constrained Keyboards (2011), www.fastword.me
Keith, M., Shao, B., Steinbart, P.J.: The usability of passphrases for authentication: An empirical field study. International Journal of Human-Computer Studies 65(1), 17–28 (2007)
Kelley, P.G., Mazurek, M.L., Shay, R., Bauer, L., Christin, N., Cranor, L.F., Komanduri, S., Egelman, S.: Of Passwords and People: Measuring the Effect of Password-Composition Policies. In: CHI 2011: Proceedings of the 29th ACM SIGCHI Conference on Human Factors in Computing Systems (2011)
Klein, D.: Foiling the Cracker: A Survey of, and Improvements to, Password Security. In: Proceedings of the 2nd USENIX Security Workshop, pp. 5–14 (1990)
Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-based Passwords. In: SOUPS 2006: Proceedings of the 2nd Symposium on Usable Privacy and Security, pp. 67–78. ACM (2006)
Leech, G.: 100 million words of English: the British National Corpus. Language Research (1993)
Mehler, A., Skiena, S.: Improving Usability Through Password-Corrective Hashing. In: Crestani, F., Ferragina, P., Sanderson, M. (eds.) SPIRE 2006. LNCS, vol. 4209, pp. 193–204. Springer, Heidelberg (2006)
Morris, R., Thompson, K.: Password Security: A Case History. Communications of the ACM 22(11), 594–597 (1979)
Perrig, A., Song, D.: Hash Visualization: a New Technique to Improve Real-World Security. In: International Workshop on Cryptographic Techniques and E-Commerce, pp. 131–138 (1999)
Pliam, J.O.: On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67–79. Springer, Heidelberg (2000)
Shannon, C.E.: Prediction and entropy of printed English. Bell System Technical Journal 30, 50–64 (1951)
Shimizu, K., Suzuki, D., Tsurumaru, T.: High-Speed Search System for PGP Passphrases. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 332–348. Springer, Heidelberg (2008)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy Magazine 2(5), 25–34 (2004)
Zimmermann, P.R.: The Official PGP User’s Guide. MIT Press (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bonneau, J., Shutova, E. (2012). Linguistic Properties of Multi-word Passphrases. In: Blyth, J., Dietrich, S., Camp, L.J. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7398. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34638-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-34638-5_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34637-8
Online ISBN: 978-3-642-34638-5
eBook Packages: Computer ScienceComputer Science (R0)