The recent wave of data breaches on a number of popular sites and Web service providers should definitely be a cause for concern to most users. Malicious attacks on the likes of Yahoo!, Facebook and Adobe should act as a catalyst for us to review our current account setup and make changes accordingly to improve the strength of passwords, even if your data wasn’t amongst the batch that was compromised in any of the attacks. Microsoft Research is well aware that password strength is one of the most vital components in combating such breaches, and as such has created the Telephathwords tool to try and guess the next character of a password based on a large database and complex query patterns.
The Web-based tool is part of a program that involved Microsoft’s research team and was led by a PhD student from Carnegie Mellon University. The service is intended to bring the issue of password security and vulnerability to the forefront of people’s minds and has the mission of “preventing weak passwords by reading your mind”. If you take the service literally then it can all start to get a little creepy. As much as we love Microsoft, we certainly don’t want the Redmond based company reading our thoughts. The non-literal explanation is that Telepathwords attempts to make predictions of the password being entered by using programmed knowledge.
The database behind the service contains a large list of passwords that have been shown to be commonly used by the public. Ironically, that list has actually been bolstered by including common passwords that have been found in the lists made public by security breaches. The underlying brain of the MSR tool also queries against common phrases that are regularly found on websites and search queries as well as looking for common password selection behavior such as using keys next to one another on the keyboard. When the user begins typing in a password, Telepathwords uses all of this power to predict the next character with alarming success.
The fun little tool is definitely worth checking out, even if just to see how easy your main password is to predict. All entries into the website are encrypted in the browser before they are logged and sent to the Microsoft Research team servers to be queried.
Head over to this website to get started: telepathwords.research.microsoft.com