Linguistic properties of multi-word passphrases

Joseph Bonneau, Ekaterina Shutova

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon's registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers
Pages1-12
Number of pages12
Volume7398 LNCS
DOIs
StatePublished - 2012
Event16th International Conference on Financial Cryptography and Data Security, FC 2012 - Kralendijk, Bonaire, Netherlands
Duration: Mar 2 2012Mar 2 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7398 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other16th International Conference on Financial Cryptography and Data Security, FC 2012
CountryNetherlands
CityKralendijk, Bonaire
Period3/2/123/2/12

Fingerprint

Glossaries
Linguistics
Natural Language
Authentication
Availability
Attack
Diminishing
Resist
Registration
Choose
Human
Corpus

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Bonneau, J., & Shutova, E. (2012). Linguistic properties of multi-word passphrases. In Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers (Vol. 7398 LNCS, pp. 1-12). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7398 LNCS). https://doi.org/10.1007/978-3-642-34638-5_1

Linguistic properties of multi-word passphrases. / Bonneau, Joseph; Shutova, Ekaterina.

Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers. Vol. 7398 LNCS 2012. p. 1-12 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7398 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bonneau, J & Shutova, E 2012, Linguistic properties of multi-word passphrases. in Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers. vol. 7398 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7398 LNCS, pp. 1-12, 16th International Conference on Financial Cryptography and Data Security, FC 2012, Kralendijk, Bonaire, Netherlands, 3/2/12. https://doi.org/10.1007/978-3-642-34638-5_1
Bonneau J, Shutova E. Linguistic properties of multi-word passphrases. In Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers. Vol. 7398 LNCS. 2012. p. 1-12. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-34638-5_1
Bonneau, Joseph ; Shutova, Ekaterina. / Linguistic properties of multi-word passphrases. Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers. Vol. 7398 LNCS 2012. pp. 1-12 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{d2762a7dfe0d407bb5238ae63f19c7f6,
title = "Linguistic properties of multi-word passphrases",
abstract = "We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon's registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.",
author = "Joseph Bonneau and Ekaterina Shutova",
year = "2012",
doi = "10.1007/978-3-642-34638-5_1",
language = "English (US)",
isbn = "9783642346378",
volume = "7398 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "1--12",
booktitle = "Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers",

}

TY - GEN

T1 - Linguistic properties of multi-word passphrases

AU - Bonneau, Joseph

AU - Shutova, Ekaterina

PY - 2012

Y1 - 2012

N2 - We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon's registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.

AB - We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon's registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.

UR - http://www.scopus.com/inward/record.url?scp=84868356659&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84868356659&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-34638-5_1

DO - 10.1007/978-3-642-34638-5_1

M3 - Conference contribution

SN - 9783642346378

VL - 7398 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 1

EP - 12

BT - Financial Cryptography and Data Security - FC 2012 Workshops, USEC and WECSR 2012, Revised Selected Papers

ER -