Are passwords made up from concatenating a few foreign words better than shorter random characters?

Question

Does it make sense to insert a foreign word into a paraphrase to mitigate against brute force? For example: "pussiMeansCatInEskimo" "caballoMeansHorse" "CatIsGatto" "SalopeMeansBitch" "BitchInFrenchIsSalope" "FoShizzleMyNizzle"

Answer 1

Yes, it does help, but perhaps not as much as you would think.

A password/phrase is a sequence of tokens. In a password, the tokens are characters; in a passphrase the tokens are words.

To increase the resistance of a password/phrase to brute force attacks, you can:

• increase the number of tokens in the sequence (i.e. make it longer)
• increase the number of possible tokens used (i.e. use a bigger set of characters or words.)

This is called increasing the entropy of the password/phrase.

An important point it that a passphrase (series of words) is also a password (series of characters). An attacker might attack it as a password or as a passphrase, and it's resistance to the attack is different depending on how the attacker treats it.

If the attacker treats it as a password, the main factor is length (since there are few tokens used in words). If they treat it as a passphrase, the main factor is number of tokens (since the length is so short).

So, should you use foreign words? Well, if the attacker treats it as a password, it makes no difference. Length is length. "chicken" and "oiseau" increase the length be the same amount, as does "skdjnqs" and "aaaaaaa" for that matter. If the attacker treats it as a passphrase, then it does make a difference. Using words from French and English almost doubles the number of possible tokens. So it does help, but as I mentioned, not as much as you'd think.

This is because increasing length is a much more powerful technique than increasing number of tokens. A three-word passphrase in english has an entropy of about 40; a three-word passphrase in french and english has an entropy of about 44, but a six-word passphrase in english has an entropy of 81.

In fact, if you run the numbers, it turns out that adding a single extra english word increases the entropy of a passphrase to 54 - ten more than you get by using two languages. Ten bits of extra entropy means a brute force attack will more than a thousand times longer to run.

So adding another word is a much better way to strengthen your passphrase.

(Although an even better way is to add a small random password with numbers and punctuation!)

Lastly I will mention that the phrases in your examples are not random, which is a weakness against generated dictionary attacks, so you should think about that as well. You want something more like CorrectĈevaloBatteryStaple.

Answer 2

The weakness with the passwords you provided is that they follow a common form. e.g. foreign[is|means]english. And now this approach is documented (thnaks! ;-)). I prefer groupings of 4 or 5 not just 2 or 3 like in your examples. If you are taking that approach these groupings should be uncommon unrelated words.

Also, my dictionary built from urbandictionary.com would crack FoShizzleMyNizzle the first time around (with my mangling rules).

When assessing security, look at your password, try to generalize it in your head to form a cracking strategy, then identify the parts that are variable and which parts are static. For the parts that are variable, identify the category they fit into. Think about how diverse that category is and how popular your choice is within it (top ten words for example is bad, sequences of characters commonly found together, etc.). This will give you an idea of how many combinations an attacker might have to go through.

Answer 3

It may if the foreign word is "Pneumonoultramicroscopicsilicovolcanoconiosis". It also largely depends on the type of hashing algorithm and the implementation of salts. The general problem is remembering secure passwords without writing them down. Try to make sentences and steal the first letter. For example:

 When I was 18 I dated Miranda Kerr for atleast 2 weeks, no seriously = WIw18IdMKfa2wns

Answer 4

A better application would handle brute force attack either by enabling CAPTCHA or delayed response.

From users perspective, you may add your own "salt" to your password. "Salt" could be anything.

Answer 5

I would say if you are going to use a set of dictionary words with no numeric or symbol characters then you weaken the process, especially if the words are related in any way. What you'd then be doing is using words as building blocks for your passwords instead of letters, which isn't going to make the job of guessing them as they are not increasing complexity.

What would be more complex would be using dictionary words, or even a phrase as a building block. If you like Duran Duran take the "Her name is rio and she dances on the sand". A simple way would be to use the first letter, as in hnirasdots . But that's too easy to guess if I know you are using music lyrics. I could alternate using whole words, parts of words, etc like hernisrandsdotsand . That's getting more and more like random text, but limiting it to lower case letters reduced the complexity. H3rn15rand5.0tSand would be very hard to get to from a cracking standpoint even if I know you were using music lyrics as a basis.

It's better to use unrelated words though, preferably of differing lengths, and then widen the character base by throwing punctuation, symbols, and numbers in. Take Carros, Set, and Nixon and transform it into carr0t.s3t*N1x0n for example.

Answer 6

In my opinion, if you use phonetic typing of another foreign language's word, it would be secure no matter what dictionary (brute force attack) a hacker may use. For example (for users who knows Arabic), Arabic name: khaled Saad (to use this name as password) in phonetic: 5aledsa3d (some Arabic letters are represented in numbers phonetically in chatting typing) kh = خ = 5
try translate.google.com from Arabic to English. If you only know English. Try to memorize many passwords as you can but don't write them down anywhere.

Answer 7

Sorry for the late answer, but I just joined. Graham has some good information, but it requires a bit of expansion and one correction. Entropy is a measure of randomness, not character set.

Regardless of passwords or passphrases, length is more important than complexity. Complexity becomes more important if you are limited to a short password (20 or less characters. A 15 character password that uses only lower case letters (26^15) is safer than a 10 character password that uses upper and lower case, numbers and symbols (95^10).

Now for brute forcing "word tokens" a six token passphrase is incredibly strong. You see, it isn't six tokens from a 95 character set, but six from a set that is over 1.2 million characters. Over 600k words in English doubled for upper and lower case. We won't deal with passphrases that have symbols like "?",etc.

Now the common initial response is that people don't used that many words. OK, let's cut the dictionary to the 500 most commonly used words, which is 1,000 with both cases of letters. now a six word passphrase is 1000^6. Not as strong as a 10 character password using all of the sets, but you can remember it much better than most complex passwords. But add 1 single obscure word and the dictionary can require more than 20,000 words (tokens/characters)x2 = 40,000.

"For the 1st time I answered a question on SX!"

10 "tokens" that require an extremely large token set (dictionary), and for a simple brute force attack it's 45 characters using all of the sets and very easy to remember.

I8@ ye ol' pub!!! 17 characters, easy to remember and dictionary repellent.

Not all tokens are equal!