What constitutes a good password? Many strategies are employed, including using longer passwords, case-sensitivity, combination of numbers and letters and using special characters.
One other trend has been using multi-word passwords, often in the form of phrases, and are considered stronger than singular words. While experts generally recommend avoiding dictionary words, multi-word passwords have been promoted in some circles as being a strong enough password because it was believed to lower vulnerability. And it might, but perhaps only to a point.
According to some recent research conducted by the University of Cambridge's Computer Laboratory (via Sophos Security
), multi-word passwords can still be cracked by hackers through dictionary attacks.
are when hackers try out all the words in dictionaries and systematically try to access password protected accounts, using automated tools. Many businesses and individuals often use easy-to-remember words as passwords, and this research indicates that multi-word passwords are not immune to dictionary attacks.
reported researchers compiled a list of 100,000 passphrases formerly used with the no longer operational Amazon PayPhrase system which required users to enter unique passphrases with at least two words.
The research team, led by report authors Joseph Bonneau and Ekaterina Shutova, from Cambridge University's Computer Laboratory, found in the evaluation that common phrases are not all that secure. These phrases chosen by users were matched against names of sports teams, movie titles, proper nouns on Wikipedia and phrases from Urban Dictionary.
"We found about 8,000 phrases using a 20,000 phrase dictionary," Bonneau wrote. Being the researchers, however, did not have access to all of the registered payphrases, there was no certainty of whether or not these phrases comprised the majority of the data set (PC Magazine
Bonneau and his team noted that while phrases are better than single word passwords, these types of passwords are still vulnerable. He did note that this research was not to target Amazon's set-up, stating Amazon's was "a relatively limited data source", but to explore how users overall tend to choose phrases. Findings suggest some caution should be exercised on multi-word passwords.
Recently Digital Journal
reported on another study that found 'Password1' was the most common password used by global businesses.
The full findings can be found in the full report
from the University of Cambridge.
has a discussion going on about the merits and drawbacks of multi-phrase passwords.
What do you think about multi-word passwords, are they secure enough?