How strong is your password? Microsoft's Telepathwords may well predict it

The above example was easily predicted.

In the wake of the huge password breach where sites such as Facebook and Yahoo! were compromised, Microsoft developers have released a tool to curb the issue of account hacking.

Experimental project Telepathwords detects how risky passcodes are by predicting your password setting habits. The engine utilises a collection of passwords in its database along with an AI to make accurate predictions.

Common passwords which were made public as a result of security breaches alongside common password-selection behaviours such as “123456” are also easily predicted by the program.

Microsoft says the prediction engine used to operate Telepathwords is extremely complex.

“To guess the next character you’ll type, we send the characters you have already typed to query our prediction engine. The prediction engine uses a database of common passwords and phrases that are too large for us send to your computer”.

The Windows Club reports the tool is extremely prompt as it can guess the next character the user is about to type. Users are advised to immediately change passwords if it is successfully predicted by Telepathwords.

The tool was tested by hundreds of Microsoft employees before release and is now available to the public.

Source: The Windows Club

Report a problem with article
Previous Story

The current drawbacks of Xbox One

Next Story

Did Microsoft just extend the retail sales life of Windows 7?

40 Comments

Commenting is disabled on this article.

Is this even relevant, if it can guess my next letter in my password?
I mean, in any attack I know, the attacker won't get any hints on what the first character(s) in a password is.

Am I missing something?

Microsoft has a password checker that lets you if your password is weak or strong but this new site is much better!!

My results were 4 out of 20.

lol they do record data


"To guess the next character you'll type, we send the characters you have already typed to query our prediction engine. The prediction engine uses a database of common passwords and phrases that is too large for us send to your computer.
To measure how much of an effect Telepathwords has on your behavior, we also send and maintain a log of your mouse movements and the timings of when characters are added to or removed from your password. This log does not contain the actual characters you type, but it does indicate whether each character was among those predicted by Telepathwords. We use this log for research intended to increase our understanding of how users choose passwords and how to help them choose better passwords in the future. This research may include collaborators outside Microsoft (such as the collaborators at Carnegie Mellon University who helped build Telepathwords) and we may share these logs with them for this purpose.
To protect the contents of the log, we encrypt log entries on your browser, before they are sent to our server. We do not keep the keys required to decrypt the log on any publicly-facing server. (Our servers create a random, unique key for each log, transfer that key to your client, and encrypt the key with a public key that is not stored on any publicly-facing server.)"

PUC_Snakeman said,
The easiest way to get passwords is to build a website where people will input them freely.
Just sayin'.

Because Microsoft doesn't have large databases filled with passwords? Remove the tinfoil hat.

If I don't know what the next character of my random password is then I doubt this tool can either.

*Edit*

8\q0sm,QB31"mW9,oviMQj8.&+l2=w

Seem's it guessed 2! This is not my password but one randomly generated the same way.

i must be doing alright it only guessed 1 character in my password, also does anyone else thing that every password you enter they are storing somewhere?

Pupik said,
My password is wDwTtI0JUKDERUIw. I doubt ANYONE will predict it.
I hope you are making a joke, otherwise, yes, someone will predict that.

Pupik said,
My password is wDwTtI0JUKDERUIw. I doubt ANYONE will predict it.

It's not as strong as it seems to be. It's long and random, but there are two issues; repeated letters and no symbols.

eddman said,

It's not as strong as it seems to be. It's long and random, but there are two issues; repeated letters and no symbols.


Why repeated letters is an issue? If anything, it's better than to just take words out of the dictionary.

And by the way, not my real password. Just generated random 76bit one in KeePass for the joke. My real passwords for services I care about, are much more secure.

Symbols won't make any difference. The problem with so many password rules is they're designed around what's hard for humans to remember and type rather than what's difficult for a computer program to guess.

eddman said,
It's not as strong as it seems to be. It's long and random, but there are two issues; repeated letters and no symbols.

It's 2013 and we still have no batman symbol in the charsets. Why even bother then?

Spicoli said,
Symbols won't make any difference. The problem with so many password rules is they're designed around what's hard for humans to remember and type rather than what's difficult for a computer program to guess.

If you have any tips on making passwords that would be appreciated. I tend to just use LastPass' password generator, but if theres something more effective, I'd like to know.

The best is actually plain word sentences as there are far more possibilities, and they're easy to remember, so people don't pick an overly easy one like 123456. The problem with that is so many systems that have length limits on password for no good reason except that's what the programmer has seen in the past. The passwords should be converted to a digest so the storage is the same regardless of length.

eddman said,

It's not as strong as it seems to be. It's long and random, but there are two issues; repeated letters and no symbols.

It's as strong as it appears to be and stronger than you think it is. I don't like how difficult it is to remember but it's a secure password nonetheless.

Spicoli said,
The best is actually plain word sentences as there are far more possibilities, and they're easy to remember, so people don't pick an overly easy one like 123456. The problem with that is so many systems that have length limits on password for no good reason except that's what the programmer has seen in the past. The passwords should be converted to a digest so the storage is the same regardless of length.

Couldn't agree more. Some of my past passphrases when I was on a medical kick:

A mouth has 32 teeth, 1 tongue, gums, and saliva.
I have 206 bones and 1/2 of them are in my hands.

Pretty long, but easy to remember. It's mind boggling when you get an error: "Your password is too long". It's almost like getting an error: "Your password is too secure".