Skip to main content

Linguistic Properties of Multi-word Passphrases

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7398)

Abstract

We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon’s registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.

Keywords

  • Natural Language
  • Proper Noun
  • Linguistic Property
  • Dictionary Attack
  • Pointwise Mutual Information

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   49.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Andersen, Ø., Nioche, J., Briscoe, E.J., Carroll, J.: The BNC Parsed with RASP4UIMA. In: Proceedings of LREC 2008 (2008)

    Google Scholar 

  2. Bard, G.V.: Spelling-Error Tolerant, Order-Independent Pass-Phrases via the Damerau-Levenshtein String-Edit Distance Metric. In: ACSW 2007: Proceedings of the 5th Australasian Symposium on ACSW Frontiers, vol. 68, pp. 117–124. Australian Computer Society, Inc., Darlinghurst (2007)

    Google Scholar 

  3. Bonneau, J., Just, M., Matthews, G.: What’s in a Name? Evaluating Statistical Attacks against Personal Knowledge Questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  4. Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proceedings of the 9th Workshop on the Economics of Information Security (2010)

    Google Scholar 

  5. Bonneau, J., Preibusch, S., Anderson, R.: A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)

    Google Scholar 

  6. Brantz, T., Franz, A.: The Google Web 1T 5-gram corpus. Technical Report LDC2006T13, Linguistic Data Consortium (2006)

    Google Scholar 

  7. Briscoe, T., Carroll, J., Watson, R.: The second release of the RASP system. In: COLING-ACL 2006: Proceedings of the COLING/ACL on Interactive Presentation Sessions, pp. 77–80. Association for Computational Linguistics, Stroudsburg (2006)

    CrossRef  Google Scholar 

  8. Church, K.W., Hanks, P.: Word association norms, mutual information, and lexicography. Computational Linguistics 16, 22–29 (1990)

    Google Scholar 

  9. Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: If We’re So Smart, Why Are We Still Using Them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  10. Jakobsson, M., Akavipat, R.: Rethinking Passwords to Adapt to Constrained Keyboards (2011), www.fastword.me

  11. Keith, M., Shao, B., Steinbart, P.J.: The usability of passphrases for authentication: An empirical field study. International Journal of Human-Computer Studies 65(1), 17–28 (2007)

    CrossRef  Google Scholar 

  12. Kelley, P.G., Mazurek, M.L., Shay, R., Bauer, L., Christin, N., Cranor, L.F., Komanduri, S., Egelman, S.: Of Passwords and People: Measuring the Effect of Password-Composition Policies. In: CHI 2011: Proceedings of the 29th ACM SIGCHI Conference on Human Factors in Computing Systems (2011)

    Google Scholar 

  13. Klein, D.: Foiling the Cracker: A Survey of, and Improvements to, Password Security. In: Proceedings of the 2nd USENIX Security Workshop, pp. 5–14 (1990)

    Google Scholar 

  14. Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-based Passwords. In: SOUPS 2006: Proceedings of the 2nd Symposium on Usable Privacy and Security, pp. 67–78. ACM (2006)

    Google Scholar 

  15. Leech, G.: 100 million words of English: the British National Corpus. Language Research (1993)

    Google Scholar 

  16. Mehler, A., Skiena, S.: Improving Usability Through Password-Corrective Hashing. In: Crestani, F., Ferragina, P., Sanderson, M. (eds.) SPIRE 2006. LNCS, vol. 4209, pp. 193–204. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  17. Morris, R., Thompson, K.: Password Security: A Case History. Communications of the ACM 22(11), 594–597 (1979)

    CrossRef  Google Scholar 

  18. Perrig, A., Song, D.: Hash Visualization: a New Technique to Improve Real-World Security. In: International Workshop on Cryptographic Techniques and E-Commerce, pp. 131–138 (1999)

    Google Scholar 

  19. Pliam, J.O.: On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67–79. Springer, Heidelberg (2000)

    Google Scholar 

  20. Shannon, C.E.: Prediction and entropy of printed English. Bell System Technical Journal 30, 50–64 (1951)

    MATH  Google Scholar 

  21. Shimizu, K., Suzuki, D., Tsurumaru, T.: High-Speed Search System for PGP Passphrases. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 332–348. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  22. Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy Magazine 2(5), 25–34 (2004)

    CrossRef  Google Scholar 

  23. Zimmermann, P.R.: The Official PGP User’s Guide. MIT Press (1995)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bonneau, J., Shutova, E. (2012). Linguistic Properties of Multi-word Passphrases. In: Blyth, J., Dietrich, S., Camp, L.J. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7398. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34638-5_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34638-5_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34637-8

  • Online ISBN: 978-3-642-34638-5

  • eBook Packages: Computer ScienceComputer Science (R0)