Cynthia Kuo, Sasha Romanosky, and Lorrie Faith Cranor: Human Selection of Mnemonic Phrase-Based Passwords

July 13, 2006 by Ping

Read the paper here.

Many organizations tell users to create “mnemonic phrase-based passwords” — passwords made up by thinking of a memorable sentence or phrase, then compressing each word of the phrase to a character (such as its first letter, a number, or a punctuation character).  Association with the phrase helps users remember their passwords, and the result is a phrase that looks hard to guess.

Unfortunately, the strength of mnemonic passwords is not well understood.  A previous analysis by Yan et al.  concluded that mnemonic passwords are stronger, but it evaluated these passwords against a standard non-mnemonic dictionary.

This work involved building a dictionary of common phrases (from phrases that appear frequently on the Web), and then used this to try running a dictionary attack against mnemonic passwords, and compared this to dictionary attacks against non-mnemonic passwords.

The survey had 290 respondents.  Two people used the Oscar Meyer Weiner jingle — “I wish i were an Oscar Meyer Weiner!” And another responded used a well-known line from the Princess Bride — “My name is Inigo Montoya.  You killed my father.  Prepare to die!” In all, 53% of mnemonic passwords used media sources.

The mnemonic dictionary attack was able to crack 11% of control passwords and 4% of mnemonic passwords.  A brute-force attack (using John the Ripper’s character frequency tables) cracked an additional 4% of control passwords and 4% of mnemonic passwords.

An analysis of the character frequencies in mnemonic passwords shows a similar distribution to those in control passwords, which suggests that they are about as vulnerable to brute force attack.  Mnemonic passwords may become more vulnerable in the future as better phrase dictionaries get developed.

Instructions to generate mnemonic passwords should warn users not to use publicly available phrases.

[...] I had an idea yesterday evening inspired by Cynthia Kuo’s talk on phrase-based passwords.  Cynthia’s research started with a popular method for choosing memorable passwords and evaluated the strength of passwords created using that method.  And there was a questioner from the audience who noted that, whenever you popularize a particular formula for making passwords, attackers can develop dictionaries tailored to that formula. [...]

 

[...] each word—“iw2gb@r2eq&c”. Don’t use popular phrases or lyrics to build your password—research suggests that people gravitate to the same phrases, and you want your password to be something only you [...]