Linguistic properties of multi-word passphrases

Joseph Bonneau, Ekaterina Shutova

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon's registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers
PublisherSpringer Verlag
Pages1-12
Number of pages12
ISBN (Print)9783642346378
DOIs
StatePublished - 2012
Event16th International Conference on Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, FC 2012 Workshops - USEC and WECSR 2012 - Kralendijk, Bonaire, Netherlands
Duration: Mar 2 2012Mar 2 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7398 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference16th International Conference on Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, FC 2012 Workshops - USEC and WECSR 2012
Country/TerritoryNetherlands
CityKralendijk, Bonaire
Period3/2/123/2/12

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Linguistic properties of multi-word passphrases'. Together they form a unique fingerprint.

Cite this