Polyglot Passwords

This article was published in UNREDACTED Magazine, Issue #006, , on page 52-53, by IntelTechniques.com.

Anyone instructed to provide a new password for securing — and later accessing — some sort of account, faces the dilemma of coming up with a permutation of characters that match the conflicting criteria of being both memorable and yet long and cryptic enough to foil any hackers trying to guess or automatically generate potential matches. At least, this would be the case if not for the assistance of password managers, which are standalone programs or web browser features or add-ons that can generate and store for you a suggested strong password for each account. But even then you need to provide at least one password, namely, a master password to unlock the virtual vault represented by your chosen password manager. Moreover, that particular master password will be of critical importance since it must protect all of your other passwords.

There are countless strategies — and combinations thereof — for coming up with a worthy password. For instance, you could write down and memorize a seemingly random combination of letters and punctuation marks. But it would have to contain enough characters to be secure, and yet the greater the number of characters then the greater the likelihood that you would not be able to recall it in the future, especially under stress (e.g., moments before boarding an international flight when the gate agent insists that you provide the ticket number of your onward travel flight, as evidence that you do not plan to overstay your visa). Alternatively, you could form a string of gibberish by concatenating the second letter of the first two dozen words of the lyrics from your favorite song. If you are compelled to type in that password at least once a day, to access your password manager, then you will likely never forget your technique for re-creating it each time. But if for some reason you only need to remember that password infrequently, will you always remember the number of words you chose to use, before your unsuccessful attempts lock you out of your account? And how did you decide to handle single-character words? Come to think of it, did you decide after all to tack on your birth year or a punctuation character?

A more straightforward password could be had by simply using the words themselves, and not a pattern of characters and with no embellishments. The result would be much easier for you to remember, but sadly also much easier for attackers to correctly guess, because typically, after they first try all of the most commonly-used passwords (from numerous lists published online), they will then programmatically try combinations of words from a dictionary — hence the term "dictionary attack".

The computational power now available for such attacks allows for millions if not billions of guesses to be tried per second, depending upon the hardware, at least for off-line efforts in which the attackers can use password-cracking programs against a locally-stored file (such as a leaked database) containing the encrypted passwords of multiple accounts, possibly including yours. Computer users can attempt to make passwords longer and stronger by employing more words from a dictionary, but attackers can improve their results by employing more robust hardware — in something of a digital arms race.

Naturally, attackers use a dictionary of whichever human language is associated with most if not all of the account owners. In those rare cases where most of the people targeted are bilingual, then one would expect the attackers to use all of the dictionary words of both languages — or at least the most commonly used words, to greatly diminish the number of possible permutations without significantly diminishing the odds of success for the bulk of the hashed passwords.

There is, however, a potential counter-strategy I have not seen presented anywhere else: Rather than limiting the candidate words to a single human language, choose words from many foreign languages — the more, the better. Accented characters could be replaced with their closest non-accented equivalents. For instance, you could concatenate some foreign translations of the word "hello": "bonjour" (French), "hallo" (German), "namaste" (Hindi), "ciao" (Italian), "nihao" (Mandarin Chinese), "privet" (Russian), and "hola" (Spanish). This would result in the password "hellobonjourhallonamasteciaonihaoprivethola", for a total of 43 characters. One could also add from less common languages, for instance: "salam" (Azerbaijani), "saluton" (Esperanto), "konnichiwa" (Japanese), "salve" (Latin), and "habari" (Swahili) — resulting in an even more secure password. In addition to natural human languages, you could also use synthetic ones, such as Klingon and Dothraki. Of course, for devising your own password, you should choose a base word other than "hello", the one used here.

Reputable sources (e.g., Ethnologue) claim that there are many thousands of languages in existence and more than 150 that are each spoken by more than a million people. Would a significant portion of all password attackers ever expand their search space to incorporate the dictionary words from multiple languages? It is quite unlikely, because each language added would exponentially increase the possible permutations that they would need to test. Furthermore, if their existing methods using only English continue to be largely successful, then it is inconceivable that attackers would massively increase their investment of time and computer resources simply to crack a few remaining stubborn passwords, such as a polyglot one.

In essence, unlike the conventional approach of using multiple words in one language, this strategy uses one word in multiple languages. Perhaps this is one more advantage of thinking beyond English.

Copyright © 2023 Michael J. Ross. All rights reserved.
bad bots block