Neither the number of words or characters made much of a difference to password strength when grammar was involved. The researchers calculated that cracking a password like "Th3r3 can only b3 #1! " would take just 22 minutes while breaking a password using the words "Hammered asinine requirements" would take more than three and a half hours.
Generally, incorporating special symbols, letter substitutions and using uppercase and lowercase letters do not help as much as some experts say, Rao told Computerworld in an email.
"In our calculations we account for a constant amount of mangling or substitutions on [the] part of the user," she said.
Previous research has already documented well-known substitution patterns, she said. Common examples include capitalizing the first letter, substituting certain letters with numbers and adding a punctuation mark at the end, she said.
"Password strength depends on the underlying part of speech," Rao noted. "A dictionary for nouns is bigger than a dictionary for adjectives which is bigger than [a dictionary for] verbs. "
So a password with the underlying structure, pronoun-noun-verb-adjective-adverb, like "mypassw0rdis$uper str0ng" is much stronger than a password that has an existential-modal-verb-determiner-pronoun structure such as "Th3r3canonlyb3 #1!" she said.
Sign up for CIO Asia eNewsletters.