Abstract
Passwords make up the most common method of authentication. With ever increasing computing power, password complexity has had to keep pace. This creates a challenge for remembering all complex passwords which some password policies attempt to resolve. One such policy is to use three random words rather than a complex alphanumeric password. This paper attempted to prove the security of using such three-word passwords. It was discovered both theoretically and experimentally that three-word passwords should not be considered secure. Theoretical entropy of a three-word password found in the 25,000 most common words would be 43.8, that is lower than the entropy of a lowercase only password. Experimental data, collected via participant survey, shows up to 85% of random words provided by participants could be found in the top 15,000 common words found in the Google n-Gram data and 86.47% of combinations could be found in 25,000 most common words. This would mean, for at least 86.47% of cases, the entropy of the password is less than passwords already considered insecure in the industry.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Heid, K., Heider, J., Ritscher, M., Stotz, J.: Tracing cryptographic agility in Android and iOS apps. In: Proceedings of the 9th International Conference on Information Systems Security and Privacy - ICISSP, pp. 38–45. SciTePress (2023)
Blocki, J., Harsha, B., Zhou, S.: On the economics of offline password cracking. In: IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, pp. 853–871 (2018)
Sriramya, P., Karthika, R.: Providing password security by salted password hashing using Bcrypt algorithm. ARPN J. Eng. Appl. Sci. 10(13), 5551–5556 (2015)
Yu, F., Huang, Y.: An overview of study of password cracking. In: International Conference on Computer Science and Mechanical Automation (CSMA), Hangzhou, China, pp. 25–29 (2015)
Ertaul, L., Kaur, M., Gudise, V.A.K.R.: Implementation and performance analysis of PBKDF2, Bcrypt, Scrypt algorithms. In: Proceedings of the International Conference on Wireless Networks (ICWN), p. 66 (2016)
Barber, R.: Social engineering: a people problem? Netw. Secur. 2001(7), 9–11 (2001)
Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 161–170 (2002)
Ma, W., Campbell, J., Tran, D., Kleeman, D.: Password entropy and password quality. In: Fourth International Conference on Network and System Security, pp. 583–587 (2010)
Taha, M.M., Alhaj, T.A., Moktar, A.E., Salim, A.H., Abdullah, S.M.: On password strength measurements: password entropy and password quality. In: International Conference on Computing, Electrical and Electronic Engineering, pp. 497–501 (2013)
Burr, W.E., Dodson, D.F., Polk, W.T.: Electronic authentication guideline. NIST Special Publication 800-63 (2004)
Abdrabou, Y., Abdelrahman, Y., Khamis, M., Alt, F.: Think harder! investigating the effect of password strength on cognitive load during password creation. In: Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems (2021)
Bosker, B.: Google database tracks popularity of 500 billion words. https://www.huffingtonpost.co.uk/entry/google-ngram-database-tra_n_798150. Accessed 09 Feb 2024
Pechenick, E.A., Danforth, C.M., Dodds, P.S.: Characterizing the google books corpus: strong limits to inferences of socio-cultural and linguistic evolution. PLoS ONE 10(10), 1–24 (2015)
Zhang, S.: The pitfalls of using google ngram to study language. https://www.wired.com/2015/10/pitfalls-of-studying-language-with-google-ngram/. Accessed 09 Feb 2024
Skiena, S.S.: The Algorithm Design Manual. Springer, Cham (2012)
Acknowledgments
The research leading to these results has been partially supported by the Horizon Europe Project Trust & Privacy Preserving Computing Platform for Cross-Border Federation of Data (TRUSTEE), (GA 101070214). The content of this article does not reflect the official opinion of the European Union. Responsibility for the information and views expressed therein lies entirely with the authors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Fraser, W., Broadbent, M., Pitropakis, N., Chrysoulas, C. (2024). Examining the Strength of Three Word Passwords. In: Pitropakis, N., Katsikas, S., Furnell, S., Markantonakis, K. (eds) ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology, vol 710. Springer, Cham. https://doi.org/10.1007/978-3-031-65175-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-65175-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-65174-8
Online ISBN: 978-3-031-65175-5
eBook Packages: Computer ScienceComputer Science (R0)
