Using Grammar to Crack Passwords
Grammar is an important part of any language as it underlies the structures needed to form proper sentences, so we need it for competent communications. For security though, grammar can be a nightmare, as researchers at Carnegie Mellon University have demonstrated.
Many places and people will tell you that long, complex passwords are stronger, but the researchers have found that because these passwords may contain predictable grammatical structures, simpler passwords can be stronger. For example "Th3r3 can only b3 #1!" was easier for their password-cracker to get than "Hammered asinine requirements," even though it contains fewer words no numbers or symbols. It was even calculated that "My passw0rd is $uper str0ng!" is one million times stronger than "Th3r3 can only b3 #1!" largely because of the grammatical structure of the password.
The researchers tested this grammar-aware cracker against state-of-the-art crackers with 1434 passwords with over 16 characters. When the passwords contained grammatical structures, the new cracker bested the more traditional solutions and even managed to crack 10% of the dataset that the others had failed to. It is worth noting that this was built only as a proof-of-concept, which means it could be optimized to become even more powerful.
Source: Carnegie Mellon University