Examining the Strength of Three Word Passwords

William Fraser; Matthew Broadbent; Nikolaos Pitropakis; Christos Chrysoulas

doi:10.1007/978-3-031-65175-5_9

Examining the Strength of Three Word Passwords

William Fraser
, Matthew Broadbent
, Nikolaos Pitropakis
, Christos Chrysoulas

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Citation (Scopus)

Abstract

Passwords make up the most common method of authentication. With ever increasing computing power, password complexity has had to keep pace. This creates a challenge for remembering all complex passwords which some password policies attempt to resolve. One such policy is to use three random words rather than a complex alphanumeric password. This paper attempted to prove the security of using such three-word passwords. It was discovered both theoretically and experimentally that three-word passwords should not be considered secure. Theoretical entropy of a three-word password found in the 25,000 most common words would be 43.8, that is lower than the entropy of a lowercase only password. Experimental data, collected via participant survey, shows up to 85% of random words provided by participants could be found in the top 15,000 common words found in the Google n-Gram data and 86.47% of combinations could be found in 25,000 most common words. This would mean, for at least 86.47% of cases, the entropy of the password is less than passwords already considered insecure in the industry.

Original language	English
Title of host publication	ICT Systems Security and Privacy Protection - 39th IFIP International Conference, SEC 2024, Proceedings
Editors	Nikolaos Pitropakis, Sokratis Katsikas, Steven Furnell, Konstantinos Markantonakis
Publisher	Springer Nature
Pages	119-133
Number of pages	15
ISBN (Print)	9783031651748
DOIs	https://doi.org/10.1007/978-3-031-65175-5_9
Publication status	First published - 26 Jul 2024
Externally published	Yes

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	710
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Bibliographical note

Publisher Copyright:
© IFIP International Federation for Information Processing 2024.

Keywords

Authentication
Entropy
Google n-Gram
Password

Access to Document

10.1007/978-3-031-65175-5_9

Cite this

Fraser, W., Broadbent, M., Pitropakis, N., & Chrysoulas, C. (2024). Examining the Strength of Three Word Passwords. In N. Pitropakis, S. Katsikas, S. Furnell, & K. Markantonakis (Eds.), ICT Systems Security and Privacy Protection - 39th IFIP International Conference, SEC 2024, Proceedings (pp. 119-133). (IFIP Advances in Information and Communication Technology; Vol. 710). Springer Nature. Advance online publication. https://doi.org/10.1007/978-3-031-65175-5_9

Fraser, William ; Broadbent, Matthew ; Pitropakis, Nikolaos et al. / Examining the Strength of Three Word Passwords. ICT Systems Security and Privacy Protection - 39th IFIP International Conference, SEC 2024, Proceedings. editor / Nikolaos Pitropakis ; Sokratis Katsikas ; Steven Furnell ; Konstantinos Markantonakis. Springer Nature, 2024. pp. 119-133 (IFIP Advances in Information and Communication Technology).

@inproceedings{f4dae7dffdbf4ede9a99a42b7894248f,

title = "Examining the Strength of Three Word Passwords",

abstract = "Passwords make up the most common method of authentication. With ever increasing computing power, password complexity has had to keep pace. This creates a challenge for remembering all complex passwords which some password policies attempt to resolve. One such policy is to use three random words rather than a complex alphanumeric password. This paper attempted to prove the security of using such three-word passwords. It was discovered both theoretically and experimentally that three-word passwords should not be considered secure. Theoretical entropy of a three-word password found in the 25,000 most common words would be 43.8, that is lower than the entropy of a lowercase only password. Experimental data, collected via participant survey, shows up to 85\% of random words provided by participants could be found in the top 15,000 common words found in the Google n-Gram data and 86.47\% of combinations could be found in 25,000 most common words. This would mean, for at least 86.47\% of cases, the entropy of the password is less than passwords already considered insecure in the industry.",

keywords = "Authentication, Entropy, Google n-Gram, Password",

author = "William Fraser and Matthew Broadbent and Nikolaos Pitropakis and Christos Chrysoulas",

note = "Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2024.",

year = "2024",

month = jul,

day = "26",

doi = "10.1007/978-3-031-65175-5\_9",

language = "English",

isbn = "9783031651748",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer Nature",

pages = "119--133",

editor = "Nikolaos Pitropakis and Sokratis Katsikas and Steven Furnell and Konstantinos Markantonakis",

booktitle = "ICT Systems Security and Privacy Protection - 39th IFIP International Conference, SEC 2024, Proceedings",

}

Fraser, W, Broadbent, M, Pitropakis, N & Chrysoulas, C 2024, Examining the Strength of Three Word Passwords. in N Pitropakis, S Katsikas, S Furnell & K Markantonakis (eds), ICT Systems Security and Privacy Protection - 39th IFIP International Conference, SEC 2024, Proceedings. IFIP Advances in Information and Communication Technology, vol. 710, Springer Nature, pp. 119-133. https://doi.org/10.1007/978-3-031-65175-5_9

Examining the Strength of Three Word Passwords. / Fraser, William; Broadbent, Matthew; Pitropakis, Nikolaos et al.
ICT Systems Security and Privacy Protection - 39th IFIP International Conference, SEC 2024, Proceedings. ed. / Nikolaos Pitropakis; Sokratis Katsikas; Steven Furnell; Konstantinos Markantonakis. Springer Nature, 2024. p. 119-133 (IFIP Advances in Information and Communication Technology; Vol. 710).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Examining the Strength of Three Word Passwords

AU - Fraser, William

AU - Broadbent, Matthew

AU - Pitropakis, Nikolaos

AU - Chrysoulas, Christos

N1 - Publisher Copyright: © IFIP International Federation for Information Processing 2024.

PY - 2024/7/26

Y1 - 2024/7/26

N2 - Passwords make up the most common method of authentication. With ever increasing computing power, password complexity has had to keep pace. This creates a challenge for remembering all complex passwords which some password policies attempt to resolve. One such policy is to use three random words rather than a complex alphanumeric password. This paper attempted to prove the security of using such three-word passwords. It was discovered both theoretically and experimentally that three-word passwords should not be considered secure. Theoretical entropy of a three-word password found in the 25,000 most common words would be 43.8, that is lower than the entropy of a lowercase only password. Experimental data, collected via participant survey, shows up to 85% of random words provided by participants could be found in the top 15,000 common words found in the Google n-Gram data and 86.47% of combinations could be found in 25,000 most common words. This would mean, for at least 86.47% of cases, the entropy of the password is less than passwords already considered insecure in the industry.

AB - Passwords make up the most common method of authentication. With ever increasing computing power, password complexity has had to keep pace. This creates a challenge for remembering all complex passwords which some password policies attempt to resolve. One such policy is to use three random words rather than a complex alphanumeric password. This paper attempted to prove the security of using such three-word passwords. It was discovered both theoretically and experimentally that three-word passwords should not be considered secure. Theoretical entropy of a three-word password found in the 25,000 most common words would be 43.8, that is lower than the entropy of a lowercase only password. Experimental data, collected via participant survey, shows up to 85% of random words provided by participants could be found in the top 15,000 common words found in the Google n-Gram data and 86.47% of combinations could be found in 25,000 most common words. This would mean, for at least 86.47% of cases, the entropy of the password is less than passwords already considered insecure in the industry.

KW - Authentication

KW - Entropy

KW - Google n-Gram

KW - Password

UR - https://doi.org/10.1007/978-3-031-65175-5_9

UR - https://www.scopus.com/pages/publications/85200718853

U2 - 10.1007/978-3-031-65175-5_9

DO - 10.1007/978-3-031-65175-5_9

M3 - Conference contribution

SN - 9783031651748

T3 - IFIP Advances in Information and Communication Technology

SP - 119

EP - 133

BT - ICT Systems Security and Privacy Protection - 39th IFIP International Conference, SEC 2024, Proceedings

A2 - Pitropakis, Nikolaos

A2 - Katsikas, Sokratis

A2 - Furnell, Steven

A2 - Markantonakis, Konstantinos

PB - Springer Nature

ER -

Fraser W, Broadbent M, Pitropakis N, Chrysoulas C. Examining the Strength of Three Word Passwords. In Pitropakis N, Katsikas S, Furnell S, Markantonakis K, editors, ICT Systems Security and Privacy Protection - 39th IFIP International Conference, SEC 2024, Proceedings. Springer Nature. 2024. p. 119-133. (IFIP Advances in Information and Communication Technology). Epub 2024 Jul 26. doi: 10.1007/978-3-031-65175-5_9

Examining the Strength of Three Word Passwords

Abstract

Publication series

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this