Linguist and computer scientist collaborating @USEC’12

Linguistic Properties of Multi-word Passphrases

by Joseph Bonneau, Ekaterina Shutova, University of Cambridge

This paper is the outcome of interesting collaboration between a linguist – Shutova – and a computer scientist – Bonneau. According to Bonneau who presented the paper, Shutova was prior to this work unfamiliar with the area of computer security. The idea here was to examine human pass-phrase creating behaviour in order to estimate, how predictable – or unpredictable – the human choices of pass-phrases (which means, naturally, that multiple words are used to form a pass-phrase as compared with a traditional password where only one word is used).

So, the authors examined patterns of human choice in a passphrase-based authentication system deployed by Amazon. The authors found that pass-phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language.This makes them quite vulnerable to dictionary attacks.

The paper nicely addresses a usability issue on password creation: the illusion of multi-word passphrases to be more secure than they actually are. Why is this a usability problem? Because it gives user a false sense of security, which can lead to user trusting the system too much and thus making him or her too vulnerable and to possible outrage if the person’s account gets hijacked as the outcome. For details on this paper, check it out and download on the USEC’12 website.