It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.
The method? The researchers took over 100,000 phrases and tested them on Amazon's PayPhrase registration page. Because the page prohibits the use of any pass-phrase that has been used by another user, it's possible to identify which pass-phrases are in use. PayPhrases are used to authorize shipping to specific addresses, and as such multiple PayPhrases can be associated with an Amazon account. Though a four-digit PIN is required, no username is needed in the process, hence the need for the pass-phrases to be unique.
The researchers found that film and book titles were effective in identifying pass-phrases in use - information readily available in list-form online suitable for dictionary-style attacks. The researchers used Wikipedia and IMDB lists, as well as slang phrases from Urban Dictionary. Researchers found users tended to favor simple two-word phrases common in natural language, though there is evidence that some users seek out seemingly-random pairings. The researchers also claim that there are "rapidly diminishing returns" for longer pass-phrases containing three or four words.
The report concludes that multi-word pass-phrases do provide a security-boost compared to the "weakest selections" from under 10, to over 20 bits of security. The weakness lies in users' general inability to choose truly random words, influenced as we are by natural language patterns. Even four-word pass-phrases "probably" provided less than 30 bits of security, which the researchers deem insufficient against offline attack.
The researchers' work is preliminary, and they do offer a few caveats. Because of the extra security afforded by the PIN in the Amazon system, users may be choosing laxer pass-phrases than they otherwise might out in the wilds of the web. On the other hand, the researchers' dictionary was assembled from phrase-categories that they themselves thought of - a process described as subjective in the report, and which make have overlooked other groups of phrases upon which users may base passwords. Should further such categories exist, pass-phrases would have fared less well in the research than they did.
Source: Cambridge University (PDF), via Schneier on Security
In a generic environment where a password can be either a random string of chars or multi-word, clearly multi-word is the best choice. An attacker would need to calibrate his attack for both scenarios. In the case of Amazon's Pay Phrase, the attacker already knows that it's a multi-word password so he only has to calibrate his attack for that.
An algorithm to specifically look for those combinations first is a start. Once you know the rules, and think like a lazy human, it gets a few "bits" easier to crack.
If the first one is not broken by the algorithm of common word combinations, you move on to another account... but don't continue to waste time on trying to crack any single account for weeks. Moving on increases the "cracked passwords per hour" rate tremendously, which is really the goal of the hacker, not cracking any particular account.
As the account-holder, you must use long passwords, which can consist of multiple words, but also needs the special characters somewhere in the middle... that is the crux of blocking an algorithm attack.
See GRC dot com (services-->passwords) for a tutorial on why length is the number one protection, followed by the special characters.
Now you can still dictionary attack that but you don't know how many words to brute force and even if you did that's #Words^5.