According to the researchers, the tool evaluates different parts of speech are be used to construct a grammatically correct sentence or phrase.
For instance, pronouns are used less than verbs, which are used less than adjectives which are in turn used less than nouns, the researchers noted in the paper. So a passphrase like "Andyhave3cats" will always be stronger than "Shehave3cats", because the use of a pronoun in the latter passphrase allows it to be broken with a fewer number of guesses, the team noted.
Neither the number of words or characters made much of a difference to password strength when grammar was involved. The researchers calculated that cracking a password like "Th3r3 can only b3 #1! " would take just 22 minutes while breaking a password using the words "Hammered asinine requirements" would take more than three and a half hours.
Generally, incorporating special symbols, letter substitutions and using uppercase and lowercase letters do not help as much as some experts say, Rao told Computerworld in an email.
"In our calculations we account for a constant amount of mangling or substitutions on [the] part of the user," she said.
Previous research has already documented well-known substitution patterns, she said. Common examples include capitalizing the first letter, substituting certain letters with numbers and adding a punctuation mark at the end, she said.
"Password strength depends on the underlying part of speech," Rao noted. "A dictionary for nouns is bigger than a dictionary for adjectives which is bigger than [a dictionary for] verbs. "
So a password with the underlying structure, pronoun-noun-verb-adjective-adverb, like "mypassw0rdis$uper str0ng" is much stronger than a password that has an existential-modal-verb-determiner-pronoun structure such as "Th3r3canonlyb3 #1!" she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, send e-mail to firstname.lastname@example.org or subscribe to Jaikumar's RSS feed .
Read more about security in Computerworld's Security Topic Center.