Why bad spelling could be the key to choosing a good password

passwords - CopyWhile spelling and grammar are the cornerstones of a good education, it seems there could be some advantages to struggling to get your letters and apostrophes in the right place.

We all know that choosing something easy to guess like birthdays, pet names, or your place of birth might help you remember them but they are big no-nos when opting for a secure password.

But while lots of us choose an obscure word, including numbers or punctuation in a bid to make our password harder to crack, researchers have now come up with a new tip – spell it incorrectly.

Researchers from Carnegie Mellon University in Pittsburgh have studied the current generation of password-cracking systems. And they found that, while many websites ask for passwords over a certain number of characters, choosing longer passwords does not make them any harder to guess.

In a paper due to be presented to the Conference on Data and Application Security and Privacy in San Antonio, Texas, the researchers, led by Ashwini Rao, say that use of long sentence-like or phrase-like passwords, such as “abiggerbetterpassword” and bad passwords - Copy“thecommunistfairy” is increasing.

The team found the key to choosing a better password was not to make it longer, but to use bad grammar because hackers tend to search for passwords using correct grammar and spellings in what are described as “brute force” attacks that simply run through combinations of words in a dictionary. By using incorrect spelling and grammar, you can fool many of these attacks.

“Using an analytical model based on Parts-of-Speech tagging we show that the decrease in search space due to the presence of grammatical structures can be as high as 50 per cent,” said the researchers. “They found that, in general, asking users for longer passwords didn’t work.

“A significant result of our work is that the strength of long passwords does not increase uniformly with length,” they said.

The team also said that using familiar structures like postal addresses, email addresses and URLs could make for passwords that are less secure, even if they are long.

With pretty much everything online now requiring a password, from accessing your bank account to reading your emails, checking spellingwhat your friends are up to on social networking sites and entering websites’ competitions, it’s a struggle to remember all of them.

As a result, most people opt for something simple and memorable and lots use the same password for everything. The trouble is, a huge number of people opt for the same password, inadvertently making it easier for hackers.

A Slovakian company, called ESET carried out research looking at the most commonly hacked password – finding the worst to use are 123456, followed by ‘password’ and ‘welcome’.

The latest research comes after advice from research firm SplashData which suggested making passwords more secure by using more than eight characters with mixed types of characters and not using the same username and password combination for multiple websites.