Categories: SecurityWorkspace

Microsoft ‘Telepathwords’ Tool Aims To Boost Password Strength

A group of researchers at Microsoft have created a tool that guesses passwords in real time as a way of helping users select better sequences of numbers, letters and special characters to protect their data.

The system, called Telepathwords, models the way that attackers attempt to guess passwords based on common patterns used in passwords. The system behaves like word processors and search engines that implement auto complete, except that the user aims to fool the system from being able to complete the password.

Guessing attacks

Users will quickly find that replacing an “a” with an “@” symbol or an “e” with a “3” does not result in a password that is appreciably stronger, Stuart Schechter, researcher at Microsoft Research, said in an email interview.

“Telepathwords is designed to help users create passwords strong enough to prevent online guessing attacks, in which an [attacker] might get up to a million guesses,” he said.

Schechter, along with four other researchers from Microsoft and Carnegie Mellon University, created Telepathwords based on stores of publicly available records of the types of passwords that people have chosen in the past. Last week, for example, 2 million usernames and passwords for a variety of accounts were found on a cyber-criminal group’s server. And breaches at LivingSocial, LinkedIn and other popular sites have resulted in millions of passwords being leaked to the Internet.

The Telepathwords site is less about protecting against such leaks and more about hardening users’ passwords against guessing attacks. The site aims to educate users about the ease with which attackers are able to use well-known rules to guess the most common passwords.

Stronger passwords needed

While websites commonly call for users to create passwords with at least one lowercase letter, uppercase letter, number and symbol, many of the passwords chosen by following the rules – such as “P@$$w0rd1” and “Querty123!” – are easily guessed, Microsoft Research stated in its post.

“Adhering to the rules doesn’t guarantee that your account or your password-protected data will remain secure,” the company said. “If you specify one of these passwords, most login systems won’t raise any objections.”

Microsoft’s Schechter envisions people using the Telepathwords site to try out current or future passwords. The system does not retain or communicate passwords and uses obfuscation techniques to prevent helping out any would-be attacker.
“While no security system is perfect, we’ve taken extensive precautions to protect the data sent between your browser and the servers Telepathwords uses to provide predictions,” he said. “We not only encrypt the data, but we work to hide the size of the data going back and forth to prevent attacks that might attempt to infer the contents of communications from the data sizes.”

In addition to avoiding weak passwords, users should not reuse passwords, as a breach of one service could lead to attackers using the same passwords on other services.

Are you a security pro? Try our quiz!

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago