Cynthia Kuo, Sasha Romanosky, and Lorrie Faith Cranor: Human Selection of Mnemonic Phrase-Based PasswordsJuly 13, 2006 by Ping
Many organizations tell users to create “mnemonic phrase-based passwords” — passwords made up by thinking of a memorable sentence or phrase, then compressing each word of the phrase to a character (such as its first letter, a number, or a punctuation character). Association with the phrase helps users remember their passwords, and the result is a phrase that looks hard to guess.
Unfortunately, the strength of mnemonic passwords is not well understood. A previous analysis by Yan et al. concluded that mnemonic passwords are stronger, but it evaluated these passwords against a standard non-mnemonic dictionary.
This work involved building a dictionary of common phrases (from phrases that appear frequently on the Web), and then used this to try running a dictionary attack against mnemonic passwords, and compared this to dictionary attacks against non-mnemonic passwords.
The survey had 290 respondents. Two people used the Oscar Meyer Weiner jingle — “I wish i were an Oscar Meyer Weiner!” And another responded used a well-known line from the Princess Bride — “My name is Inigo Montoya. You killed my father. Prepare to die!” In all, 53% of mnemonic passwords used media sources.
The mnemonic dictionary attack was able to crack 11% of control passwords and 4% of mnemonic passwords. A brute-force attack (using John the Ripper’s character frequency tables) cracked an additional 4% of control passwords and 4% of mnemonic passwords.
An analysis of the character frequencies in mnemonic passwords shows a similar distribution to those in control passwords, which suggests that they are about as vulnerable to brute force attack. Mnemonic passwords may become more vulnerable in the future as better phrase dictionaries get developed.
Instructions to generate mnemonic passwords should warn users not to use publicly available phrases.