Do Sentences Make Better Passwords?

It seems that every single day, someone comes to a forum writing about how his accounts were hacked somehow and he doesn’t understand why. One of the reasons that people get accounts compromised so often is because they don’t exactly understand how it happens. Once the process of grabbing someone’s password becomes clear (it’s simple, by the way), then we can understand how we can modify our passwords to effectively prevent hackers from entering our accounts. One proposition that security experts have made recently was to use short sentences as passwords, rather than using a continuous string of characters (like “blablabla”). We’ll have a look at this and why it may or may not be more secure.

sentencepass-theft

Here at MTE, I have already covered the ways in which hackers can get ahold of your passwords. However, that list is composed mostly of methods used to sniff out and easily get ahold of your credentials. Right now, I want to cover with you the methods that hackers use to crack open your account from the outside rather than infiltrating your packet traffic. These methods are a little simpler but more time consuming. Let’s have a look:

  • Brute-Force Attacks: The method to this madness involves simply going through a ton of permutations of multi-character strings. So, a hacker with a brute-force tool will simply try thousands of permutations, hoping to hit the right one after a while. The tool will randomly guess character combinations (like “jif2$F”). Since passwords are typically more than six letters long, this method will take a while! However, a determined hacker will sit through an entire day’s worth of password guessing just to get into your account.
  • Common Word Attacks: The hacker will use common everyday words (like “strawberry” or “whiskey”) from a list, load them up on a special tool, and try each one out. It only takes a few minutes (many times, even a few seconds) to crack an account using a common word as a password.
  • Dictionary Attacks: As the name suggests, the hacker whips out a copy of the Oxford Dictionary and tries every word. Using an automated tool, this takes a little longer than a common word attack, but it will get a large amount of accounts cracked.

Security experts have long reached the conclusion that the safest password is one with a combination of alphanumeric characters (including uppercase letters) and special characters (like “$@(%#”). This isn’t far from the truth today. A password like “ff9jF#D” is much safer than “caramel.” The downside is that it’s really hard to remember random characters. Our brains just aren’t wired that way.

And, while we’re still on this subject, let me tell you a secret: If some expert tells you that a character-string password will take several years to crack, he’s probably talking about brute-forcing with a CPU. Hackers don’t do that anymore. Instead, they use things like nVidia’s CUDA technology, which allows them to tap into the immensely-faster GPU of a graphics card, allowing them to do what a computer does in a week within a span of hours by chaining a bunch of hardware together (through an SLI bridge).

sentencepass-lockonlaptop

The space (” “) is a legal character in most password forms. This means you can separate words from one another. Just having a sentence as your password can create a nightmare for hackers, according to a number of security experts, one of them being Thomas Baekdal. The advantage of using a sentence is that it’s much easier to remember than 8fa@!*FaicC and it’s also more secure when used in the proper manner.

In 2007, Baekdal wrote that “this is fun” is 10 times more secure than “J4fS<2.” I’m not sure what his opinion of this is right now, but I do not think that using something simple like “this is fun” is so secure that it would take a computer, according to his written piece, 2,537 years to crack it.

For one, let’s say that a hacker uses a list of the one-thousand most common words in the English language to crack “this is fun.” Since the password uses three distinct words, we’d have to contend with 1,000*1,000*1,000 possible permutations. That gives us a billion permutations to cycle. It sounds like a lot, but for a computer, this is very simple.

I’m not saying that Thomas Baekdal is wrong. I’m simply saying that you need to follow some guidelines when making your choice. Let me show you some ideas I’ve cooked up while thinking about this problem for several days:

  • Use non-space separators, like the hyphen (“-“). If you’re a little more daring, try something really difficult to figure out, like the trademark symbol (“™”, Alt+0153).
  • Use non-conversational uncommon words, like “quantum theory is a paramount development.” You can also create a sentence in another language, like Latin (“repetitio est mater studiorum”). This is especially useful when English is not your first language. Most hackers will search for passwords with English words, but very few of them would think of, say, Romanian or Czech.
  • Make sentences of random words. An example would be “paraphernalia photon cephalopod.”

Following these rules may result in a password that is, at first, difficult to remember. But you should consider the Latin proverb I used as an example of a non-English password. Its translation: Repetition is the mother of study. If you keep using your password, you’ll remember it in a jiffy. Remembering “faji2o#($FCCineF)9f(#“, I think, is much more difficult than remembering “paraphernalia photon cephalopod” or whatever these words may be in your native language.

Remember, the longer you make the sentence, the more secure it gets! Using a shorter sentence may still afford you some high level of security so long as you don’t use something that can be caught in a common word list. Dictionary attacks on your password are still possible, but not likely to yield results because of the enormous amount of time it would take for the hacker’s tool to crack your password open.

The only limitation to the above method is that some sites don’t allow passwords longer than 20 characters. A few also don’t allow spaces or other special characters in passwords, although this is becoming more rare. I have even encountered an online banking platform that only allowed up to 14 alphanumeric characters. In these sites, sentence passwords won’t work whatsoever.

I discussed a lot right now. Some of it is a little conflicting with conventional knowledge about passwords, so it’s normal for you to have opinions, questions, and thoughts on the matter. It’s time for you to open up. Join me and fellow readers in a conversation that could help clarify everything by leaving a comment below!

33 comments

    • A backwards sentence just leaves one extra step in the cracking process. A skilled hacker would think of that. Special characters are useful, but not always very helpful, especially in instances where the character replaces a letter intentionally (like @ replacing “a”) in a common word.

  1. Mix languages and even character sets. Cracking a password with Latin and Cyrillic characters would seem to be difficult.

      • “Cracking a password with Latin and Cyrillic characters would seem to be difficult.”

        Wouldn’t an ASCII table lookup crack that easily?

        • If you knew what languages to check. Even adding one character from say Burmese might be enough. It adds one more level of complication like adding UC and LC letters.

  2. Passwords are a pain in the butt! Of course, they’re necessary, made so by the evil people of the world, so I keep a list in an encrypted file on my computer and then copy and paste passwords from that list. Is that safe? Does copying and paste make a more secure password than typing in the characters? I was hoping to deter keyloggers, but maybe I’m dreaming!

    • Copying from a list can still mean that a hacker will one day be able to access that list if he infiltrates your computer. The safest bet is to use an SSO like PerfectCloud or LastPass.

      • “The safest bet is to use an SSO like PerfectCloud or LastPass.”

        Isn’t a Password Manager subject to the same shortcomings as a login? If the hacker cracks the Manager password then he has access to all your other passwords.

        Also, sentence passwords can easily be cracked with a dictionary attack. Wouldn’t a better solution be a sentence made up of nonsense words of different lengths? (N4^j &nb/s# poL(*&) Of course a password like that would be quite hard to remember.

        • “Isn’t a Password Manager subject to the same shortcomings as a login?”

          Not PerfectCloud. It has a very special form of encryption that really is a nightmare for hackers. Also, you make your own encryption key (the “cryptphrase”), which acts as a second password. It’s actually the most innovative way to manage your logins out there.

          “Also, sentence passwords can easily be cracked with a dictionary attack.”

          Not necessarily. The number of permutations grows significantly as you increase the word count in your password. Of course, some sentences are still vulnerable.

          “Wouldn’t a better solution be a sentence made up of nonsense words of different lengths?”

          It defeats the purpose of using a password you can remember easily. But yes, you’d have an ironclad password. Also, hackers rarely anticipate spaces. Aside from spaces, one of the best delimiters is the invisible hyphen (Alt+0173). It’s very elusive.

    • I’m not an expert in security, so take this with a grain of salt. It seems to me that since hackers can grab screenshots, they might do so while your Excel (or whatever program) encrypted file is open and thus have access to at least those passwords (and personal info) which is currently displayed. They could also use keyloggers to snatch the password of your encrypted file and blow the whole thing wide open, especially if they get control of your machine. These are just guesses on my part, I’d be interested in the thoughts of those who are more knowledgeable than I am.

      • If a hacker has the ability to take a screenshot of your computer, then it does not really matter what method you use to store your passwords. You’re dead meat at that point regardless. You don’t have to go this crazy on password creation. Include one of each of capitals, lowercase, numbers and symbols and make it over 12 if possible and just do it however is most convenient. Password strength is only relevant to the conversation of cracking as the author mentioned. That makes password policy a pretty straight forward conversation. Unfortunately, its malware and traffic sniffing that is a much more complicated discussion and the method most widely used to steal your data is still social engineering.

  3. I think sentences in a difficult language’s is good way to go. My problem is I seem to have much difficulty changing password on sites. It makes me crazy does anyone have a answer for me?

  4. I don’t know for sure, however, encrypting your password (any reasonable password) with MD5 encryption. take for instance the password: just for fun Translates to just for fun converts to:
    bc00595440e801f8a5d2a2ad13b9791b. (found easily on mycodeguy.com) is a one way encryption, and you would enter ‘just for fun’ as your password , but you would use the encryption when you set up the password – let me know your thoughts…

    • Great link, http://mycodeguy.com/ – Thanks! Not sure of the best way to use it though, wouldn’t want to go to that link every time I log on somewhere and convert or unconvert. A bit tedious. At the very least, kind of fun and interesting!

  5. I think mixing languages in a sentence and adding a couple of numbers or characters should keep a hacker busy for a much longer time. Transliteration can make passwords much stronger but you need to know at least two languages.

  6. Interesting thought Larry Newman, but the rub as I see it would be once again remembering/memorizing the MD5, unless you use a manager.

  7. There are all kinds of quotations from literature such as “Alas poor Yorick I knew him Horatio.” Since letter pairs a considered a weakness, the word, poor, might be replaced by destitute. To make it even more difficult, fill the spaces starting with % in the shifted upper row on the keyboard and moving from left to right change the space to another character from the shifted row. i.e. Alas%destitute^Yorick&I*knew(him)well. That should give the hackers something to grind away at for a while. Personally, I’ve never used this one – I have others but I’m not going to even suggest their source.

  8. How about an article discussing the merits and demerits of Password programs?
    The first one I ever used way back when, was “Gator” it was actually spyware!
    Is there any way to automatically convert your existing password program password data to other programs?
    “The safest bet is to use an SSO like PerfectCloud or LastPass.”

  9. Tried this with “google translate” input was … Spring-is=here … result was …. Proljeće-je = ovdje … in Croatian, Seems this could be a way to go with passwords, works for me.

    • Problem with that idea is that the translation back to the original is not always the same as the original. Google Translate isn’t perfect. I think it sometimes uses approximations or slight mistranslations, and when translating backwards “War in Crimea” might translate back to “Crimean War” or even “War Crime” depending on which language you’re using. I know this from personal experience as I have family in the Philippines.

  10. Good point DonP, Oh well back to the drawing board I guess, I like the idea of a short sentence though? regards to you.

  11. Biometric authentication, incorporating a proximity sensor with a configurable auto-log off distance is my holy grail. Bionym is coming out with a wrist bracelet that will authenticate use by checking your cardiogram. My pre-order is in. No delivery date as yet. Barring any heart rhythm abnormalities, fraud data down well below 1% Bionym website is promising. Meanwhile Lastpass works & synchronises with multiple devices.

  12. Heres an easy one to save having to try remembering tough passwords that was discussed in another blog or article. I can’t remember. But anyway, the method proposed was develop a core and use the first and last letters of site. For example mLJ@792r. The LJ@792, being the core and “m” the first letter of the site and “r” the last letter of the site. That way you only have to remember the core. Of course the core could be longer, but as you can see you have assortment of characters.

  13. LastPass wins for me. Relatively easy to use, secure (I think), in the cloud (because I move around a lot).
    Backed up with an encrypted (Truecrypt) file on Dropbox.
    I like it enough to have paid for premium.

  14. Won’t a “brute force” attack on a web login be quickly defeated by most sites, which only allow a handful of erroneous login attempts before disabling access for a period of time?

    Aren’t you basically talking about attacks wherein the hacker has already obtained your hashed password and is trying to “reverse engineer” the unhashed password?

  15. Why not just omit the spaces in your password sentance “Thisisabadpassword?” making a really long non-word.

  16. I use a combination of words that my kids used when they were starting to talk, those words don’t exist in any language because they are mispronounced words in my native language (that by the way is not English).

    They have sense only to me, that’s why they are easy for me to remember and difficult to guess for someone else.

    And at the same time I don’t forget their first words now that they are growing up.

  17. Keep in mind that special characters may seemingly disappear on foreign keyboards. For Example, if you use a dollar sign (shift-4) in your password, it moves to where the bracket key is. In my travels, I still needed to use “Shift-4”, and not the actual symbol “$” to access my protected information.

  18. Nice briefing, and perceptive dialog. Thanks. Several comments:
    1. I use LastPass premium (like PAF56, Claude, Oz); I also have an encrypted spreadsheet stored offline. I like the idea of the crypto-phrase in LastPass and industry reviews encourage me to trust the encryption (performed on my devices, not LastPass servers.
    2. I’m not a security expert but I’ve had cryptology explained to me by folks who are. I think a “dictionary attack” does not involve trying every word in a dictionary, rather it uses a hash-to-word mapping that was done offline. Hackers are constantly expanding the scope of such mappings. This approach solves the “only three tries” situation, as long as the hacker has the hash of your password.
    3. Only a few of my online accounts permit spaces, or longer-than-20-character strings. Most do not. (I’ve been a fan of pass-phrases since GrooveNet; I use them when supported.)
    4. When guessing the words in a passphrase (e.g., a 3-word phrase has complexity of 1000 x 1000 x 1000), how does the hacker know how many words are in the phrase? And in what order?

    Again, useful brief and discussion
    –Vic

Comments are closed.

Sponsored Stories