A new research study on the effectiveness of passwords may make you reevaluate the strength of your passwords.

A study conducted by researchers at Carnegie Mellon University’s Institute for Software Research shows that what we once thought of as strong passwords may not be so strong any more. The key, they have found, is grammar.

Results from the study found that passwords that incorporated grammatical structure, no matter how long, were easier to crack than comparatively shorter passwords with no apparent structure. To conduct their tests, the researchers developed what they describe as a grammar-aware password-cracking algorithm which uses separate dictionaries for each element of a sentence (i.e. one dictionary for verbs, one for nouns, etc.) to identify any structure within the password. With this cracking tool, they found that passwords with grammatical structure significantly reduced the time needed to crack a password due to the narrowing of possible word combinations and sequences.

A password such as “Th3r3 can b3 only #1!” was cracked in 22 minutes even though it used special symbols and letter substitutions. Compare to the password “Hammered asinine requirements” which took over three and a half hours for the researchers’ algorithm to crack, simply because it lacked a grammatical structure.

It’s studies like these that make us reconsider whether our supposed “strong” passwords are truly as strong as we think they are.

Original article by Jaikumar Vijayan.
Read the full story here.