Does Microsoft's Telepathwords know what you will type next?

by Mark Tyson on 9 December 2013, 11:15

Tags: Microsoft (NASDAQ:MSFT)

Quick Link: HEXUS.net/qab555

Add to My Vault: x

Microsoft has published a new web based tool which has the stated aim of "Preventing weak passwords by reading your mind". The new tool is snappily called Telepathwords and was built by researchers from Microsoft Research (MSR) and a Carnegie Mellon University PhD student intern.

Telepathwords works by utilising the knowledge and data Microsoft has of common passwords, such as those made public from past security breaches. Also common phrases and searches on the web are considered as are other password choosing behaviours such as typing keys from your keyboard due to their position; like qazwsx or, heaven forbid, 123456.

the X marks a successful prediction

Microsoft's 'prediction engine' uses a very large database of words so it's not sent to your computer when you use Telepathwords. However the passwords you type and test are not logged by Microsoft but it does record data of "mouse movements and the timings of when characters are added to or removed from your password," for its research into understanding how users choose passwords. This log is encrypted before being sent to Microsoft.

While the researchers are pretty proud of the Telepathwords tool they are the first to admit that it can't prevent all weak passwords. For instance the researchers suggest that an attacker might know some of your personal information from some other source, which makes your password more guessable to them.

I've given Telepathwords a test drive and it cottoned onto a very old password I used to use pretty quickly. I also got the warning about 'profanity' pop up, as shown below, though my password didn't contain any such word...



HEXUS Forums :: 18 Comments

Login with Forum Account

Don't have an account? Register today!
abc123
Monday1
TrustNo1
What happened to ‘God’, ‘Sex’, ‘Love’ and ‘Secret’? :D
Might be the wrong thing to say, but I really quite like these kinds of tools as ways to train folks not to use dumb passwords. Remember using GRC's “password haystack” with a cub pack doing their “computer” badge, and them taking great delight in trying to find the shortest and longest crack time passwords.

As to this one though - I think the presentation could be better - even if it did a traffic light display for the predicted and non-predicted passwords. My default password didn't do very well - I really need to go around and change every account that uses it! :o
Ttaskmaster
What happened to ‘God’, ‘Sex’, ‘Love’ and ‘Secret’? :D
That sounds like a tabloid headline.
how to get people willingly submit their most pressures passwords - ohh just ask them !!!
precious not pressures - crap auto correction…
do I trust M$ to encrypt those passwords? - no
do I trust M$ to secure this page well enough so no hacker can take control over it - HELL NO!!!