Polyglot Passwords

Michael J. Ross

Anyone instructed to provide a new password for securing and later accessing some sort of account, faces the dilemma of coming up with a permutation of characters that match the conflicting criteria of being both memorable and yet long and cryptic enough to foil any hackers trying to guess or automatically generate potential matches. At least, this would be the case if not for the assistance of password managers, which are standalone programs or web browser features or add-ons that can generate and store a suggested strong password unique to each account. But even then you need to dream up a strong master password to unlock the virtual vault formed by your chosen password manager, to access all of your other passwords.

There are countless strategies — and combinations thereof — for dreaming up a worthy password. For instance, you could write down a seemingly random combination of letters and punctuation marks and then memorize it. But it would have to contain enough characters to be secure, and yet the greater the number of characters then the greater the likelihood that you would not be able to recall it in the future, especially under stress (e.g., moments before boarding an international flight when the gate agent insists that you provide the ticket number of your onward travel flight, as evidence that you do not plan to overstay your visa). Alternatively, you could form a string of gibberish by concatenating the second letter of the first two dozen words of the lyrics from your favorite song. If you are compelled to type in that password at least once a day, to access your password manager, then you will likely never forget your technique for re-creating it each time. But if for some reason you only need to remember that password infrequently, will you always remember the number of words you chose to use, before your unsuccessful attempts lock you out of your account? And how did you decide to handle single-character words? Come to think of it, did you decide after all to tack on your birth year or a punctuation character?

A more straightforward password could be had by simply using the words themselves, and not a pattern of characters and with no embellishments. The result would be much easier for you to remember, but sadly also much easier for attackers to correctly guess, because typically, after they first try all of the most commonly-used passwords (from numerous lists published online), then they will programmatically try combinations of words from a dictionary — hence the term "dictionary attack".

The computational power now available for such attacks allows for millions if not billions of guesses to be tried per second, depending upon the hardware, at least for off-line efforts in which the attackers can use password-cracking programs against a locally-stored file (such as a leaked database) containing the encrypted passwords of multiple accounts, including yours. Users can attempt to make passwords longer and stronger by employing more words from the dictionary, but attackers can improve their results by employing more robust hardware — in something of a digital arms race.

Naturally, attackers use the dictionary of whichever human language is associated with most if not all of the account owners. In those rare cases where most of the people targeted are bilingual, then one would expect the attackers to use all of the dictionary words of both languages — or at least the most commonly used words, to greatly diminish the number of possible permutations without significantly diminishing the odds of success for the bulk of the hashed passwords.

There is, however, a potential counter-strategy I have not yet seen presented anywhere: Rather than limiting the candidate words to a single human language, choose words from many foreign languages — the more, the better — possibly with accented characters replaced with their closest non-accented equivalents. For instance, you could concatenate some foreign translations of the word "hello": "bonjour" (French), "hallo" (German), "namaste" (Hindi), "ciao" (Italian), "nihao" (Mandarin Chinese), "privet" (Russian), and "hola" (Spanish). This would result in "hellobonjourhallonamasteciaonihaoprivethola", for a total of 43 characters. One could also add from less common languages, for instance: "salam" (Azerbaijani), "saluton" (Esperanto), "konnichiwa" (Japanese), "salve" (Latin), and "habari" (Swahili) — resulting in an even more secure password. In addition to natural human languages, you could also use synthetic ones, such as Klingon and Dothraki.

Reputable sources (e.g., Ethnologue) claim that there are many thousands of languages in existence and more than 150 that are spoken by more than a million people. Would a significant portion of all password attackers ever expand their search space to incorporate the dictionary words from multiple languages? It is unlikely, because each language added would exponentially increase the possible permutations that they would need to test. Moreover, if their existing methods using only English continue to be largely successful, then it is inconceivable that attackers would massively increase their investment of time and computer resources simply to crack a few remaining stubborn passwords, such as yours.

Perhaps this is one more advantage to thinking beyond just English.

Copyright © 2023 Michael J. Ross. All rights reserved.
bad bots block