Psst: You're Not the Only One Who Knows Your Passwords
BY Doug Cantor
Microsoft's new tool can guess your passwords to show if they're vulnerable, but it'll take a lot more to thwart hackers.
It's finally happened: There's new technology that can read your mind.
On December 5, Microsoft's research division released Telepathwords, a free online tool that predicts the next character in your password before you type it. Input one letter into a text field, and the Telepathwords site returns three guesses for what the next one will be based on a database of commonly used phrases and password choices. For each character the tool correctly predicts, a green check mark appears.
Developed by a team of security researchers, the "mind-reading" ability is ostensibly for benevolent purposes: Telepathwords is an effort to get people to strengthen their passwords. If the tool can guess that you use your local NFL team's nickname to access your Facebook account, it's highly likely that a hacker will be able to do so, too.
Microsoft keeps a log of your mouse movements and the timing of changes to your password on the Telepathwords site for research purposes. The company says that while it logs whether or not its prediction engine correctly guesses each character you type, the actual characters remain encrypted on your browser before being sent to a Microsoft server.
Advanced as it is, Telepathwords is just one of many attempts to improve passwords that ultimately won't do much to combat hackers, says cybersecurity expert Bruce Schneier. "I think these tools are interesting," he says. "It's a new approach, but in terms of impact to security, it's probably negligible." Part of the problem is that Telepathwords is likely to be used mainly by people who are already fairly well-versed in password security, he adds.
Even with Telepathwords's assistance, it's exceedingly difficult to come up with a theft-proof string of characters, says Jeremi Gosney, the founder of Stricture Consulting Group, a password-security firm. "People are very predictable, and we all tend to think similarly," he says. "Password crackers know all the tricks you use. The only way you can really stay ahead of them is to use unique, randomly generated passwords for each site and service you use, through a password manager such as Lastpass or 1Password."
Unfortunately, Schneier says, no matter how much people are warned about the dangers of weak passwords, most won't do much to strengthen them.
"It used to be 'password' was the most common password," Schneier says. "Now it's 'password1.'"