Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Rachel Metz

A View from Rachel Metz

A New Tool Plays Mind Reader With Your Passwords

Microsoft Research’s Telepathwords demonstrates how strong (or weak) your passwords are by guessing them as you type.

  • December 5, 2013

Not sure if “password1234” is the best password to keep intruders out of your e-mail account? A new online tool from Microsoft Research called Telepathwords can help you figure it out by guessing which character comes next as you type your password (although hopefuly you already know that particular phrase is a poor choice). The better Telepathwords is at guessing what you’ll type, the easier it will likely be for someone trying to attack your inbox or online bank account protected by that password.

Released Thursday, Telepathwords incorporates common known passwords and common phrases. According to a Microsoft news release, it was also tested by “several hundred” Microsoft employees in order to provide data on how people come up with passwords and to train Telepathwords to detect shoddy password-choosing habits that hackers would probably be aware of. It’s interesting that, rather than simply giving users a “strength” score, the team behind it wants to show you, step by step, how good or bad your password is. Telepathwords was built by security researcher Stuart Schechter and four others.

The site is simple to use: you type the first letter or number of any password into a box and watch Telepathwords make three guesses as to what the next character will be. I tried this with a few passwords, and found that it had a pretty good idea of what I was going to type. When you’re done typing in your password, you see a series of check- and x-marks above it, scoring which characters that Telepathwords could guess and which it couldn’t. Occasionally, I was admonished with warnings such as: “Replacing a predictable letter with a key that looks similar? Attackers also know to substitute l for i, so it does little to improve your password.”

The site does collect the characters you type, sending them to a Microsoft Research server in order to make guesses about what you’ll type next. It also keeps track of how you move your computer mouse and time of when you add or delete characters from your password. The site indicates this data is encrypted within your Web browser, and it may eventually be used for related research.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today
/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.