Search code examples
passwords

Interleaving words as a password

I was just thinking about passwords, is interleaving the letters of several words a good method of creating a strong password? IE

word1 = "quick"
word2 = "brown"
word3 = "vixen"

so

password = "qbvuriioxcwnknn"

it seems like it would be strong against a dictionary attack and brute forcing. Is there a method that this is weak against?

Solution

  • Definitely a question for Information Security Stack Exchange (as Thriggle pointed out in comments), but regardless, I'll pitch in some thoughts.

    If you interleave the letters of words, you face a few pros and a few cons:

    Pros

    • Not susceptible to standard dictionary attacks
    • Easier to remember
    • Ability to create longer passwords just by remembering a few words with many letters

    Cons

    • If anyone knows this is your password scheme, then you become vulnerable because a dictionary attack can again be applied with custom edits to target passwords of that nature.
    • While you are less susceptible to standard dictionary attacks and you can make longer passwords, these passwords could be crackable based on the probable occurrences of letters. (One of the more interesting weaknesses I see in this proposal.)
    • What about numbers and punctuation? (Highly important for preventing plain dictionary attacks, and obviously English words don't have numbers and special symbols in the words themselves.)
    • If you were setting this as your personal password technique, you would have to decide on some standards to dictate what you are going to do about words of different lengths. (Just three 5-letter words for every password? There's a finite number of 5-letter words.)
    • No capital letters. (Which is a correctable issue, but again, you would have to decide on some more standards.)

    As I find the probability of letters in the password to be the most interesting negative effect of this system, I'll dive into that one a little further.

    If I know your password uses three 5-letter words interleaved with one another, then I would start out with a dictionary of all five-letter words in the English language and begin with words that start with one of the following: t o a w b c d s f m r h i y e g l n p u j k (most frequent first letters in English words) From that sublist, I would choose words that end with: e t d s (most frequent last letters in English words), and then just combine and interleave. After all, for each series of 3 words, there are only 6 possible options arrangements.

    In the worst case scenario, I find out you used zymes, zamia, zooid. However, even if you did use the last possible word combination, I will still find your password in a relatively low timeframe compared to using even 15 random base64 characters, because there are only 323,727,260,476 (323.7 billion) combinations of 5-letter English words (using a rather complete 12,478 word list of 5-letter English words). On the other hand, had you just used 15 random Base64 characters, there would have been 1.2 octillion possible combinations (1.2x10^28).

    Now, all of that said, that's assuming an attack where I know that you're using three 5-letter English words. If I don't know anything and I still try a dictionary followed by the combinations of 15 base64 characters, then the password is perfectly fine because I will never be able to bruteforce it. However, the key weakness here is that if I know anything your password pattern, then a significant amount of security is immediately lost because the pattern is not overly complex. So this password scheme is a case of security through obscurity. (Which is generally discouraged.)