Linguistic properties of multi-word passphrases

Joseph Bonneau, Ekaterina Shutova

Research output: Chapter in Book/Report/Conference proceedingConference contribution


We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon's registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers
Number of pages12
StatePublished - 2012
Event16th International Conference on Financial Cryptography and Data Security, FC 2012 - Kralendijk, Bonaire, Netherlands
Duration: Mar 2 2012Mar 2 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7398 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other16th International Conference on Financial Cryptography and Data Security, FC 2012
CityKralendijk, Bonaire

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Linguistic properties of multi-word passphrases'. Together they form a unique fingerprint.

Cite this