Cambridge UniversityThink that a passphrase of multiple, random dictionary words is as unguessable as long strings of gibberish, but easier to remember?

Research from the Computer Laboratory at the University of Cambridge suggests that this might not be so.

While passphrases using dictionary words may not be as vulnerable as individual passwords, they may still be cracked by dictionary attacks, the research found.

Security researcher Joseph Bonneau reports, in a recent paper written with Ekaterina Shutova, that his team studied the problem by turning not to the theoretical space of choices but rather the real-life passphrases that people actually string together.

To find such a selection of passphrases, his team used data crawled from the now-defunct Amazon PayPhrase system, introduced last year for US users only.

The goal wasn’t to evaluate the security of the scheme as deployed by Amazon, Bonneau says, but rather to learn more about how people choose passphrases in general.

Amazon’s was “a relatively limited data source”, he writes, but the research results do “suggest some caution on this approach”.

In the original version of the Amazon site, passphrases had to be at least two words long. Error messages indicated when a passphrase was already in use.MORE