Microsoft Research's new tool guesses your password

By on December 6, 2013, 10:30 AM

Microsoft Research has developed a new tool designed to help prevent people creating weak passwords for themselves. Known as 'Telepathwords', the system takes each character that you type for your desired password and attempts to guess the next one, giving a tick for a character that couldn't be guessed, and a cross for those that could.

The tool detects vulnerabilities in passwords that would have previously been allowed under the standard "rules": passwords such as "P@$$w0rd1", for example, contain at least one uppercase letter, one lowercase letter, a digit, a symbol, and no English words - so are allowed under the rules - but can easily be guessed by hackers due to common patterns and character replacement.

Telepathwords will guess this password through Microsoft's specially-crafted prediction engine, which uses a database of commonly used passwords, phrases and behaviors to root out these bad passwords. As you type it, the tool tells you where you went wrong, such as informing you that character replacement doesn't make a password any more secure.

Stuart Schechter, one of the researchers who developed Telepathwords, admits that while the tool is helpful for rooting out bad passwords, some people will inevitably forget their passwords, and there are still some easy methods for stealing complex passwords. Schechter found back in 2008 that most secret question answers were remarkably easy to guess, which lead to some websites phasing them out in favor of email verification.

Just how easy to guess is your password? Head to Telepathwords and let us know how you fare in the comments below.




User Comments: 15

Got something to say? Post a comment
4 people like this | davislane1 davislane1 said:

Looks like my password system performs as expected... Tomorrow's headline: MS Research Database Hacked, Millions of Passwords Accidentally Logged on Telepathwords Compromised

Guest said:

After playing around with this for a few minutes it doesn't look all that impressive. All it appears to do is predict (3 possible) next characters you will type. It is case insensitive and gives no indication if what you enter is a strong password or not. Might as well type your password into Google and see what hits it gets.

Terrax said:

Only predicted one correct out of 13 characters. Woohoo!

BMfan BMfan said:

My one password from a few years ago it couldn't predict but unfortunately sites don't accept

6 character passwords anymore.

NTAPRO NTAPRO said:

My password used to be ass for yahoo and youtube for a good number of years lol. would've changed back if I could, but I guess it wasn't really worth it

Cycloid Torus Cycloid Torus said:

Unclear if significant. Quality of predictions may improve with time and more data. If more than half of characters are 'unpredicitable' then I bet you're safe. Of course, passwords like 'password' are not.

Guest said:

Looks like my password system performs as expected... Tomorrow's headline: MS Research Database Hacked, Millions of Passwords Accidentally Logged on Telepathwords Compromised

Hahaha so true!

I've had the same password for at least 15 years on one of my email accounts and never had one problem with any hacking or anything. I attribute it to not being an ***** and not clicking on bs links or logging onto mail in unsecure places. Its really that simple.

ikesmasher said:

Website does not supply security info. I don't think ill be entering my password in, just in case.

Adhmuz Adhmuz, TechSpot Paladin, said:

Tried one of my more complicated ones, it tries to put in suggestions and stuff, but none of which were accurate, however it still gives you poop when trying to use most numbers because hackers know to replace a 2 with an r? What? Or the predictions don't make any sense at all, almost like it's blindly trying to guess at all cost. Nor does it recognize simple keyboard patterns, yet still tells you that using a 5 in absolutely no context is too much like an s. Probably stealing passwords to resell to the highest bidder, so be weary of what you enter in.

p51d007 said:

13 character password, guessed 1 correctly

cliffordcooley cliffordcooley, TechSpot Paladin, said:

If your password has few characters that Telepathwords could not guess, attackers may also find your password easy to guess.
Would the attacker be notified which characters are correct and which are not? I fail to see how this makes any sense. If the attacker doesn't know which characters are correct, they couldn't guess the incorrect characters.

It is my understanding that the password is either 100% correct, or it is rejected as being 100% wrong. I don't understand where the shade of gray is at, allowing for such a concept as Telepathwords predicting incorrect characters.

captaincranky captaincranky, TechSpot Addict, said:

What I'm not getting here, is how many guesses the program gets! Does the program have to get it right on its first try? If not, then all this is really, is a brute force password cracker in reverse.

In the real world, you usually only get 3 tries to get the entire sequence correct, and then you get sent to the corner for a "time out".

In another article here, the theory was if a computer was guessing, all you had to do, was use plain English, @ 14 characters or more.

With how M$ has ostensibly let M$ Essentials slip in quality, this is perhaps a diversionary publicity stunt, to make you think they're doing something towards protecting you.

If I had my druthers, I'd.ruther have them bring the AV program back up to snuff.

This might be what we get, now that IBM is allowing time sharing with its "Watson" supercomputer.

(OK, that was just a guess, but isn't guessing the spirit of this whole affair)?

frog98146 said:

It got 6 of 12, 4 of 13, and 2 of 12. I just changed some of my passwords. Good to know hacker will guess only 2 of 12, right off the bat.

frog98146 said:

Well it's like a combo lock 4+10 You start with 0000, 0001, 0003. My old combo was 9229 I figured they give up by then.

Letters = 26, numbers = 10 Password 6-13. Now you can add caricature !@#$%&?+.

Some passwords now requiring at lease 1 Upper Case, 1 Lower Case, 1 Number, 1 Special Caricature, and 13 Caricatures long.

And if you can't find your password! They want your right arm and your first born to get it.

And now they ask questions. I answered my High School but I spelled it backwards. Tsew Not West. That is one of my High Schools but that was not the school I used.

And where do you keep the file so you don't forget. And now of all the hoops some sites won't let you use the last 6 passwords you used when you reset your passwords.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.