Can a different language make passwords more secure?
Discussion on whether using a language other than English can result in stronger and secure passwords.
Last updated
Discussion on whether using a language other than English can result in stronger and secure passwords.
Last updated
TL;DR: Using dictionary words in a language other than English does not make the password inherently secure. The magic trick for strong passwords is not rooted in any particular language but in well-researched mathematical notions.
While scrolling the news I came across a curious headline "How Axis Bank is reinventing password protection". Interested in anything related to password security, I opened the article. The article promotes the recently published campaign by a leading bank alongwith a password generator website, www.sanskritpassword.com. This password-generator mechanism claims to be "An age-old, cutting edge solution". So what does this generator do?
According to the campaign, the password generator translated English words to Sanskrit "turning it into a password that’s tough for hackers to crack but easy to remember." So, is this statement really true? Well, not really.
The security of a password depends on how "uncrackable" it is. An attacker will not guess your password (which is what the campaign claims) but they will try to crack it with automated programs using something called a wordlist. A wordlist includes hundreds of thousands of lines of known passwords. These passwords are collected either from data breaches, data thefts, or users willingly giving away their password under the influence of social engineering. This program will check every known password against your account until it finds the one that works.
To create an "uncrackable" password, some rules of thumb should be followed while creating a new password:
Passwords should be long: atleast 8 characters.
Passwords should be complex: use special characters such as @#/!$, capitalise random letters, use random numbers.
Passwords should not be predictable: have you ever been told to not use your name or birthyear as the password? Because this makes the password easier to crack. An attacker can just guess the password instead of going through any hassle.
A mathematical equation is used to calculate the strength of a given password. This is known as password entropy. The equation is listed below.
Here, E = Entropy, C = total number of characters, L = length of the password. The bigger the entropy, the stronger the password.
The password entropy equation, coupled with the above rules of thumb are the most credible criterion of what makes a password secure. This is where the campaign falters. The campaign claims that the scammers/attackers cannot crack passwords created in Sanskrit owing to their lack of knowledge about the language. This is untrue.
The attacker's knowledge of the language has no bearing on the security of the password. Infact, using dictionary words as suggested by the campaign can have the opposite and potentially dangerous effect on password security.
Let's follow the password generator's example and create a password Hello 2034
. The generator translated this to Namaste!2034
. Here, we have a dictionary word Namaste
, a special character !
and 4 digits 2034
. By conventional means, this could be a strong password. But, the generator uses a predictable password rule:
There is a dictionary word whose first letter is capitalised
Following the word, there is a single special character (the number of possible special characters is 32)
Finally, there are 4 numerical digits at the end (there are 10,000 possible 4-digit combinations for numbers ranging from 0-9)
This is a simple password combination and will be relatively easy to crack with a dictionary attack compared to brute-forcing. All the attacker has to do is create a wordlist based on any Sanskrit dictionary, capitalise the first word and add all possible combinations of the special characters and 4-digit numbers. Moreover, the password generator translates English words. This further reduces the size of the wordlist as an average user uses only a small fraction of English words available in the Oxford dictionary. Even worse, this generator is primarily meant to be used by non-native English speakers (Indians who have English as their secondary language), this further shortens the wordlist.
The real horror of this password generation mechanism is that the very system behind password generation is put on display. There is a wide spread view in the cyber security community that the entire cryptographic protocol's mechanism should be made public except the secret key. The thought behind such a view argues that the more criticism and research on a protocol, the more secure it will be.
However, the Sanskrit password generator is not a cryptographic protocol. The publicly available mechanism behind password generation here only makes the job easier for an attacker. A 2005 research by Narayanan and Shmatikov discuss the possibility of cracking passwords even when the space of potential passwords is large.
Ultimately, the magic trick for making passwords secure is not rooted in any particular language (even if it is an ancient one), it is rooted in well-researched mathematical notions.
There are lots of other factors at play during attacks on passwords. Passwords are usually hashed and salted and never stored in cleartext. However, an attacker can still compromise user privacy if the service storing the passwords is not secure enough.
To secure your privacy and data, you can follow the above discussed rules of thumb alongside some other considerations:
Use a long password, 12 characters is usually the desired length
Randomise the password, use special characters, capitalised letters, combination of random numbers
Do not use dictionary words, while easy to remember they are also easy to crack
If possible, use a random password generator and a password manager
Enable Multi-Factor Authentication (MFA)
Do not write down your passwords
It is important to use secure authentication mechanisms in today's increasingly digital world but users also need to be aware of common misconceptions. In such a scenario, it is our duty—as cyber security professionals—to educate people using credible facts and research.