Multi-word passphrases not that safe, warn cybersecurity researchers

Think a multi-word passphrase —including one made out of dictionary words— is fully secure? Think again, according to researchers at the University of Cambridge.

 

Computer security firm Sophos said the study showed hackers can still crack such multi-word passphrases with dictionary attacks.

 

It quoted security researchers Joseph Bonneau and Ekaterina Shutova as saying their findings stemmed from a study of real-life passphrases that people actually string together. Not enough security

 

"We found about 8,000 phrases using a 20,000 phrase dictionary. Using a very rough estimate for the total number of phrases and some probability calculations, this produced an estimate that passphrase distribution provides only about 20 bits of security against an attacker trying to compromise one percent of available accounts. This is far better than passwords, which are usually under 10 bits by this same metric, but not high enough to make online guessing impractical without proper rate-limiting," Bonneau said.

 

Even five-word phrases would be highly insecure against offline attacks, with fewer than 30 bits of work compromising over half of users, he added. Brute force and l33tspeak FTW

 

"For now we can only be comfortable that randomly-generated passphrases (using tools like Diceware) will resist offline brute force," he said.

 

Using data crawled from the now-defunct Amazon PayPhrase system, the team studied passphrases that had to be at least two words long.

 

On the other hand, Sophos said combining passphrase abbreviation with Leetspeak "combines the best of random characters mixed with the implicit, coherent meaningfulness of a phrase." — TJD, GMA News