It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.

The method? The researchers took over 100,000 phrases and tested them on Amazon's PayPhrase registration page. Because the page prohibits the use of any pass-phrase that has been used by another user, it's possible to identify which pass-phrases are in use. PayPhrases are used to authorize shipping to specific addresses, and as such multiple PayPhrases can be associated with an Amazon account. Though a four-digit PIN is required, no username is needed in the process, hence the need for the pass-phrases to be unique.

The researchers found that film and book titles were effective in identifying pass-phrases in use - information readily available in list-form online suitable for dictionary-style attacks. The researchers used Wikipedia and IMDB lists, as well as slang phrases from Urban Dictionary. Researchers found users tended to favor simple two-word phrases common in natural language, though there is evidence that some users seek out seemingly-random pairings. The researchers also claim that there are "rapidly diminishing returns" for longer pass-phrases containing three or four words.

The report concludes that multi-word pass-phrases do provide a security-boost compared to the "weakest selections" from under 10, to over 20 bits of security. The weakness lies in users' general inability to choose truly random words, influenced as we are by natural language patterns. Even four-word pass-phrases "probably" provided less than 30 bits of security, which the researchers deem insufficient against offline attack.

The researchers' work is preliminary, and they do offer a few caveats. Because of the extra security afforded by the PIN in the Amazon system, users may be choosing laxer pass-phrases than they otherwise might out in the wilds of the web. On the other hand, the researchers' dictionary was assembled from phrase-categories that they themselves thought of - a process described as subjective in the report, and which make have overlooked other groups of phrases upon which users may base passwords. Should further such categories exist, pass-phrases would have fared less well in the research than they did.

Source: Cambridge University (PDF), via Schneier on Security