23

I have a question slightly similar to this question. I am familiar with the correct horse battery staple example from xkcd, yet I am leaning towards songlyrics as a passphrase, since I have a brain that remembers songlyrics very easily.

Now, I am wondering how long a passphrase made up of songlyrics should be at least, to provide "acceptable" security level comparable to the 44 Bits of correct horse battery staple. The tricky part is the social-engineering part of the question. If I google the lyrics beforehand, like one answer mentioned here, I know I am not covering up my trails. But, like I mentioned before, I know many song lyrics by heart and do not need to look them up before setteling for a passphrase. Would that do me good?

In essence, my question is asked with the assumption that a hacker social-engineered my fondness of pass-lyrics. In case that is a known fact for an attacker, how long should pass-lyrics be and would it also be a self-inflicted wound to use song-lyrics including numbers? I guess the latter part will definitely make it easier, for social-engineered attacks, yet harder for brute force.

I am well aware of the vagueness of my question, but all I am looking for is a basic rule of thumb. Right now, I am using pass-lyrics for rather low-risk accounts, but I am trying to think of something and the correct horse battery staple is not ideal for my stupid-ass brain.

Eidt: I do not think it to be a duplicate of that BBC question in question, since I am considering whole lines of lyrics instead of first letters and as one asewer pointed out, 7 letters cover 65% of the language with the first letters of words.

  • Any particular reason why you ask about a sub-optimal solution to a problem that is known to be hard to solve ? A password manager would be way more secure, you know – Stephane Jul 11 '17 at 07:34
  • 2
    A password Manager would limit me to using my own devices, right? Also, I never considered using a password manager, as I am not very fond of putting all my eggs in one basket. Or is there something I failed to aknowledge? – Baron Furzgesicht Jul 11 '17 at 07:38
  • 4
    You can just have a password manager on your phone that will tell you the password if you need to enter it manually. – Elias Jul 11 '17 at 08:01
  • Just a +1 for song lyrics as a password scheme. I also use lyrics for some logins, and then I associate whatever song it is with the website, so get a different password (and theme tune!) for each. – Algy Taylor Jul 11 '17 at 08:34
  • 24
    `Iwannabetheverybestlikeno1everwasTocatchthemismyrealtestTotr‌​ainthemismycause` – Thomas Jul 11 '17 at 09:08
  • This could only be secure if you combine lyric parts of from a large enough pool of lyrics and use a randomly chosen passphrase from it - and not some part you already know. (which kind of defeats the purpose of using lyrics) If you choose lyrics you know, the pool is certainly to small and any information about you (age, location) combined with knowledge about which songs were popular at what time/location will decrease security even further. It's sounds kind of like using `correct horse battery staple`-technique but limited to your favorite words, which would be a bad idea. – kapex Jul 11 '17 at 12:37
  • Many sites might also limit the length of your password to something shorter than your acceptable number of words, forcing you to pick a weaker song lyric. As others have said, for your use case, a password manager is probably the right answer. – JesseM Jul 11 '17 at 17:35
  • 1
    There are demonstrated and published cracking methods that can get this kind of phrase-based passwords like "allineedislove". Common phrases in songs have much lower entropy than completely random phrases or other high-entropy generation schemes. See https://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ and https://nakedsecurity.sophos.com/2012/03/19/multi-word-passphrases/ for examples of research on cracking pass phrases. – Cody P Jul 11 '17 at 17:51
  • 11
    One poorly understood piece of the xkcd password is that it's *random*. Those are four randomly chosen common words. Sentences in written language are not random, spoken even less so, and song lyrics less so still. For the same length of characters your song lyric password is *much* weaker. Not that it probably matters. – Jared Smith Jul 11 '17 at 18:08
  • 2
    Hacking Bieber fan accounts would be trivial: "BabyBabyBabyBaby"... – HorusKol Jul 11 '17 at 23:14
  • I think you're taking the wrong bullet point out of the answer you quoted on the duplicate question. The *main* point is not that "7 letters cover 65% of the language", it is that there are simply not enough song lyrics, let alone *popular* song lyrics, to form the basis of a good password. Doing any transformation to the song lyric will make it slightly stronger since the attacker will need to try both with and without the transformation. But that's beside the point because the goal is to have too many possible passwords to guess, and song lyrics fail miserably at that even with mangling. – Ben Jul 12 '17 at 16:29
  • I should note, as noted in the duplicate question, that if you're replacing a password like "p@ssw0rd!" then you're probably at least making an improvement. So don't be discouraged from making *any* change. But a far better solution is to use a password manager. As someone points out, with a smartphone app (or portable USB installation) you can still log into devices you don't own...and be honest, how often do you do that anyway? I've found that solution works just fine when I occasionally need it. – Ben Jul 12 '17 at 16:30

7 Answers7

22

As with any password guessability/strength question, likely the most important factor is "who's the attacker".

For online password guessing attacks, by an attacker who doesn't know you, the most important factor is ensuring that your password won't be guessed before the account lockout kicks in. For that as long as your password isn't in the top couple of hundred likely picks, you are likely to be ok. Lyrics (especially ones from a song that isn't currently that popular) are very unlikely to be guessed here.

If you think about a scenario where a website you have an account on has been compromised and the password database is being cracked, well your account on that system is likely burned, so in terms of stopping the security of your other accounts being affected the most important factor is ensuring that you use unique passwords on each site you make use of. If you can do that with song lyrics, you won't be affected by the compromise of one password.

If your looking at a scenario where the attacker knows you, things get more risky, especially if you've disclosed the scheme you're using. It would be relatively easy to create a database of popular song lyrics and apply that to an offline password. But what you've got to consider is, is anyone who knows you likely to do that... That's a risk decision only you can make.

Some practical considerations with this scheme. You may well have problems using it on sites which enforce password classes (e.g. special characters). You may also have problems with sites which enforce arbtrary upper limits on password length.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • I guess special characters won't be too much of a problem, like I mentioned, I could use songs with numbers in it or write the word "one" as "1" and I could include punctuation. Yet upper limits might be problematic. As for the other argument, I think I would be able to come up with enogh lyrics to give individual accounts individuals lyrics. But I am interested in the scenario where an attacker creates a database of song lyrics. The dimensions will have to be huge, as I won't limit myself to pop songs – Baron Furzgesicht Jul 11 '17 at 08:40
  • oh sure it wouldn't be a small database and it would take some putting together, so someone would really have to want to compromise the password. but in terms of attempting the cracking once they had the database ready, remember GPUs can do 10's of millions of attempts a second, so really any wordlist based cracking is easily done. – Rory McCune Jul 11 '17 at 08:46
  • Well that is something I can work with. There have to be several factors that come together...So I guess some passphrases à la `correct horse battery staple` will have to be memorized for highly sensible accounts – Baron Furzgesicht Jul 11 '17 at 08:50
  • 5
    @RоryMcCune there are existing sites full of song lyrics some easier to scrape than others. Assuming a gigabyte worth of song lyrics (a few million songs) that won't result in much more than a billion possible passwords. An afternoon's worth of cracking. – ratchet freak Jul 11 '17 at 11:55
  • The database of popular song lyrics is not an unheard of tactic, and more importantly many leaked password databases include song lyric passwords in them. The book Financial Cryptography and Data Security ran an experiment in which 37% of their cracked passwords were lyrics but only 5% of these lyric password were not found using dictionary based attacks or other password databases: https://books.google.com/books?id=8gIkDwAAQBAJ&pg=PA611&lpg=PA611#v=onepage&q&f=false – Cody P Jul 11 '17 at 18:17
19

Sorry, but you're not the first person to think of this so you can bet that this technique will be automated in some password cracking software. It's always best to assume that the hacker knows your generation scheme when evaluating these sorts of schemes.

So how secure is this? Well a quick googling of "number of songs on spotify" threw up the number 30 million. Doing a word count on a random song (https://genius.com/Tim-minchin-3-minute-song-lyrics) threw up 483 is about the number of words in a song. For a four word password you can guess like this: "the wheels of the", "wheels of the bus", "of the bus go" and so on (this is not the smartest way to guess, you could put your phrases in a hash set first to remove duplicates).

Notice that using more words doesn't really increase the entropy that much. There are 483 words in a song, there are 482 2-word phrases, 483 3-word phrases and so on.

So, 30 million * 500 = 15 billion or 33 bits of entropy or 2048 times less secure than a password form of actually random words. This is a large over estimate of the security because of the hash-set optimisation.

5

Any form of password manager would solve you this issue. Currently, you are trying to overcomplicate passwords. Song lyrics is definitely an interesting idea for a password, and the length alone is relatively secure, but if you want to have something secure that you can remember, and wouldn't cause issue use a password manager.

Josh Ross
  • 663
  • 3
  • 10
  • 2
    as I mentioned in the comment above, I think a password manager would limit me to using my own devices and I can't shake the feeling that putting all my eggs in one basket is not that great an idea. But feel free to convince me otherwise :) – Baron Furzgesicht Jul 11 '17 at 07:54
  • Apologize, did not pay attention to comments. For safety perspectives, yes it will be less safe than using a different password for every single website, but it is also going to be more complicated. If the password structure is compromised as you mentioned yourself, you won't have that many changes and the change of passwords are going to be a pain. As for convincing, been using one myself for a long time, haven't had issues. Security breaches to such websites are very rare and are set up for maximum damage control. – Josh Ross Jul 11 '17 at 07:59
  • Addition to that, password managers will allow you to create any complexity passwords and will allow you to store and manage them without much hassle obviously. Easier creation. In my opinion, no password will every be safe, but since I have yet to find an efficient way to be aware of all the password, I go with the currently effective and efficient option. You can always research multiple popular password managers to see a number of security problems they had. If you are not convinced, your way of adapting lyrics to passwords will be a safer option then. – Josh Ross Jul 11 '17 at 08:02
  • Please, do not confuse passwords and passphrase. They are different things for different use cases. – Jakuje Jul 11 '17 at 12:20
  • Your comments didn't address @BaronFurzgesicht's main concern about password managers: the concern that they are locked to a single device but the OP wishes to be able to use other devices to log in to websites. Their concern is not one of security, it is one of usability. – Pharap Jul 11 '17 at 12:58
3

It strongly depends on how well the social engineering is done.

If the attacker only knew you are using song lyrics and there were a million songs to randomly choose the lyrics from, it would be secure enough for low risk accounts.

BUT you don't choose the songs randomly. I assume that most of the songs you listen to are from a relatively small range of genres and bands. If the attacker has detailed knowledge about your preferred music, the number of songs will be reduced to a few hundred and your strategy will become very insecure.

Getting that information can be really easy: One could ask your friends about your taste concerning music, if he doesn't know you yourself. If you are sharing the music you listen to using facebook and spotify or lastfm it gets even easier.

The length of the fragment won't play a big role anymore, since the order of the words is defined by the songs. In fact, if you are only using full sentences or lines this will reduce security even more.

Assuming you are using full lines of a selection of 100 songs, each of which contains 20 different lines (The refrain lines count only once), you will end up with as little as 2000 different passwords.

That are less possible passwords than when using 2 random latin letters (uppercase and lowercase allowed), like "yA" or "UD".

To sum it up, it is a bad idea to use songtexts as passwords.

2

As you are using passphrases of several words, your password is large enough to be immune to simple brute force attacks. But the weakness here is that you are not using 4 random words from a song but I think that you will use a true sentence with a meaning by itself in song order. If we limit an automatid scheme to sentences from 4 to 8 words (*), we get per song not more than 5 * number of words. Not much more than several thousands for a common song. As I am thinking of an automatic dictionary like attack, I am not considering the meaning here. But I'm afraid there are not enough songs around to make that password method resistant to a targetted attack.

In that sense, this answer is not much different from the BBC one: the best pattern to build a password is to use no pattern. That's the reason why password managers have nice reputation here, they allow the use of true random passwords which by construction are resistant to any attacks... except for the rubber hose series that here would include local attacks against the password manager, if the master password is weak...


(*) Less than 4 will lead to really short passphrases, and more than eight will soon be tedious to manually type.

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
2

One thing that matters quite a bit is what song you pick. Supposing there is any kind of automation scheme going on, they are going to attempt to use lyrics from top 40 kinds of songs first before delving into more obscure lyrics. Again, this is where someone attacking you personally could change things: if they know your music choices, they can take that angle and narrow their song selection.

You could do some kind of basic transformation to song lyrics, like taking the second letter of each word in a long phrase or changing certain letters to numbers. That would reduce your risk for someone targeting you considerably.

user153097
  • 21
  • 1
0

I would suggest instead to use sentences including punctuation, and then use only the (capitalized) letters of that sentence. Add numbers if you like. The problem with words is that they can be found in a dictionary, which will make your password much less secure than you would think.

Remembering sentences is actually fairly easy. This system has led to me having >10 long passwords with mixed punctuation and non-word characters as a minimum, up to 15-20 when important. That is a good bit more secure, and still fairly easy to remember.

You probably could use this with your lyrics if you want.