A group of researchers at Microsoft have created a tool that guesses passwords in real time as a way of helping users select better sequences of numbers, letters and special characters to protect their data.
The system, called Telepathwords, models the way that attackers attempt to guess passwords based on common patterns used in passwords. The system behaves like word processors and search engines that implement auto complete, except that the user aims to fool the system from being able to complete the password.
Users will quickly find that replacing an “a” with an “@” symbol or an “e” with a “3” does not result in a password that is appreciably stronger, Stuart Schechter, researcher at Microsoft Research, said in an email interview.
“Telepathwords is designed to help users create passwords strong enough to prevent online guessing attacks, in which an [attacker] might get up to a million guesses,” he said.
Schechter, along with four other researchers from Microsoft and Carnegie Mellon University, created Telepathwords based on stores of publicly available records of the types of passwords that people have chosen in the past. Last week, for example, 2 million usernames and passwords for a variety of accounts were found on a cyber-criminal group’s server. And breaches at LivingSocial, LinkedIn and other popular sites have resulted in millions of passwords being leaked to the Internet.
The Telepathwords site is less about protecting against such leaks and more about hardening users’ passwords against guessing attacks. The site aims to educate users about the ease with which attackers are able to use well-known rules to guess the most common passwords.
While Websites commonly call for users to create passwords with at least one lowercase letter, uppercase letter, number and symbol, many of the passwords chosen by following the rules—such as “[email protected]$$w0rd1” and “Querty123!”—are easily guessed, Microsoft Research stated in its post.
“Adhering to the rules doesn’t guarantee that your account or your password-protected data will remain secure,” the company said. “If you specify one of these passwords, most login systems won’t raise any objections.”
Microsoft’s Schechter envisions people using the Telepathwords site to try out current or future passwords. The system does not retain or communicate passwords and uses obfuscation techniques to prevent helping out any would-be attacker.
“While no security system is perfect, we’ve taken extensive precautions to protect the data sent between your browser and the servers Telepathwords uses to provide predictions,” he said. “We not only encrypt the data, but we work to hide the size of the data going back and forth to prevent attacks that might attempt to infer the contents of communications from the data sizes.”
In addition to avoiding weak passwords, users should not reuse passwords, as a breach of one service could lead to attackers using the same passwords on other services.