Thursday, December 05, 2013

Think your passwords rock? Check out Telepathwords from Microsoft Research (which might have you thinking again about those passwords)

Microsoft Research - Avoiding Vulnerable Passwords—and Rules, Too

You could think of it as a brainteaser: Create a sequence of eight or more characters that includes at least one uppercase letter, one lowercase letter, a digit, and a symbol, that doesn’t contain any words in English, and that is memorable enough that you can recall it.

For most of us, unfortunately, the challenge posed by these rules isn’t fun—it’s a painful chore forced upon us when choosing a password to access an email account, a company network, or a website.

Passwords that contain symbols and uppercase letters to meet these rules also tend to be difficult to type, especially on mobile devices.

Even worse, adhering to the rules doesn’t guarantee that your account or your password-protected data will remain secure. A surprising number of passwords that follow these rules are easily guessed by malicious hackers: “P@$$w0rd1,” for example, or “Qwerty123!”. If you specify one of these passwords, most login systems won’t raise any objections.


The free online research tool, launched Dec. 5, is called Telepathwords. Users can visit the project website and test the strength of their passwords—current ones, past ones, or ones they’re considering using.

“The system doesn’t ask the user to learn anything up-front or follow any specific rules,” Schechter says. “Rather, as you type each key of your intended password, it displays the characters it thinks you’re most likely to type next. If it succeeds in predicting one or more characters of the rest of your password, the evidence that these characters are predictable will be right in front of your eyes.”



Using Telepathwords feels similar to the autocomplete feature in search engines, except that it discourages you from following its predictions. Predictable characters don’t do much to increase the security of your password against those who might try to guess it, so if you type one of the three characters predicted by Telepathwords, a red X will appear above it. If you choose a character that is not among those predicted by Telepathwords, a green checkmark will appear above it.

While not truly telepathic, Telepathwords is endowed with great deal of knowledge about how users choose passwords. It knows all the usual substitutions, such as substituting the dollar sign ($) for an S. Telepathwords also looks for passwords constructed by moving a finger around the keyboard, regardless of direction. It has an extensive list of known-popular passwords, as well as a dictionary of English words and a list of common phrases obtained from Microsoft’s Bing search engine. And it’s wise to all sorts of tricks that users have devised—and attackers have long recognized—such as putting an asterisk between the letters of a familiar word.

Telepathwords also responds—with a diplomatically worded pop-up message—to passwords that rely on common substitutions or contain profanity, both of which attackers also are keenly aware.





Kind of fun and kind of scary all at the same time...

No comments: