Multi-word pass-phrases not so secure after all?

Multi-word pass-phrases not so...
New research from Cambridge University suggests pass-phrases may be vulnerable to dictionary-style attacks (Image: Pedro Miguel Sousa/Shutterstock)
New research from Cambridge University suggests pass-phrases may be vulnerable to dictionary-style attacks (Image: Pedro Miguel Sousa/Shutterstock)
View 2 Images
New research from Cambridge University suggests pass-phrases may be vulnerable to dictionary-style attacks (Image: Pedro Miguel Sousa/Shutterstock)
New research from Cambridge University suggests pass-phrases may be vulnerable to dictionary-style attacks (Image: Pedro Miguel Sousa/Shutterstock)

It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.

The method? The researchers took over 100,000 phrases and tested them on Amazon's PayPhrase registration page. Because the page prohibits the use of any pass-phrase that has been used by another user, it's possible to identify which pass-phrases are in use. PayPhrases are used to authorize shipping to specific addresses, and as such multiple PayPhrases can be associated with an Amazon account. Though a four-digit PIN is required, no username is needed in the process, hence the need for the pass-phrases to be unique.

The researchers found that film and book titles were effective in identifying pass-phrases in use - information readily available in list-form online suitable for dictionary-style attacks. The researchers used Wikipedia and IMDB lists, as well as slang phrases from Urban Dictionary. Researchers found users tended to favor simple two-word phrases common in natural language, though there is evidence that some users seek out seemingly-random pairings. The researchers also claim that there are "rapidly diminishing returns" for longer pass-phrases containing three or four words.

The report concludes that multi-word pass-phrases do provide a security-boost compared to the "weakest selections" from under 10, to over 20 bits of security. The weakness lies in users' general inability to choose truly random words, influenced as we are by natural language patterns. Even four-word pass-phrases "probably" provided less than 30 bits of security, which the researchers deem insufficient against offline attack.

The researchers' work is preliminary, and they do offer a few caveats. Because of the extra security afforded by the PIN in the Amazon system, users may be choosing laxer pass-phrases than they otherwise might out in the wilds of the web. On the other hand, the researchers' dictionary was assembled from phrase-categories that they themselves thought of - a process described as subjective in the report, and which make have overlooked other groups of phrases upon which users may base passwords. Should further such categories exist, pass-phrases would have fared less well in the research than they did.

Source: Cambridge University (PDF), via Schneier on Security

The conclusion that pass-phrases aren't as secure as touted based on the 'pass-phrases' of those who aren't clear on the concept, leads me to believe that the researchers aren't very clear on the concept. While they're called 'pass-phrases', they are not meant to be a phrase in the usual sense. Most people are not security minded and don't really wish to be so. Any user-generated password they create will be weak because they don't understand the rules they were given for creating one and will use whatever is the first thing they think of that the system will accept. If they're using a book or movie title or popular slang phrase, they have actively not used the pass-phrase system. Any pass-phrase that uses a natural language pattern is not using the pass-phrase system.
That's a faulty conclusion. You can't conclude that multi-word passwords are not as secure as thought in general just because researchers were able to conclude that in one instance where multi-word pass phrases are required -- as is the case with the amazon Pay Phrase.
In a generic environment where a password can be either a random string of chars or multi-word, clearly multi-word is the best choice. An attacker would need to calibrate his attack for both scenarios. In the case of Amazon's Pay Phrase, the attacker already knows that it's a multi-word password so he only has to calibrate his attack for that.
Matt Rings
There are common pass phrases that would have higher likelihood than others. e..g "TomlovesSarah" or variations of Name1 and Name2 make that attack relatively easier than brute-forcing a 13 random letters/numbers/special characters.
An algorithm to specifically look for those combinations first is a start. Once you know the rules, and think like a lazy human, it gets a few "bits" easier to crack.
If the first one is not broken by the algorithm of common word combinations, you move on to another account... but don't continue to waste time on trying to crack any single account for weeks. Moving on increases the "cracked passwords per hour" rate tremendously, which is really the goal of the hacker, not cracking any particular account.
As the account-holder, you must use long passwords, which can consist of multiple words, but also needs the special characters somewhere in the middle... that is the crux of blocking an algorithm attack.
See GRC dot com (services-->passwords) for a tutorial on why length is the number one protection, followed by the special characters.

Lazlo has it right - this is a faulty conclusion.
Malware/keyloggers steal passphrases just as easiliy as passwords - neither is safe.
Mel Tisdale
I find it difficult to understand why it is possible for a hacker to run software designed to submit at high speed different passwords in order to find the correct one. Given the time, success is guaranteed. Surely the software host is aware that multiple attempts are being made, doesn't it? I can't make multiple attempts to enter my PIN for my ATM cards, so why can I for software applications.
Gavin Greenwalt
If you're using a common phrase then you are just exposing yourself to another form of dictionary attack. The idea is for it to be a random phrase like "my dog is an anchovie"
Now you can still dictionary attack that but you don't know how many words to brute force and even if you did that's #Words^5.