Microsoft has unveiled a rather unlikely weapon in the war against users who choose weak passwords – telepathy.
The telepathic power, of course, comes from computing, not magic, and illustrates very clearly which passwords are easy for a computer to “guess” – the tool Telepathwords, guesses the next letter as you type in a password.
Naturally, going for classic “bad” passwords will lead to Telepathwords guessing every single letter right, The Next Web reports. “For example, if you think a clever password would be p@$$w0rd, think again – the tool guesses it right instantly,” the site reports, “ If your password is zxserisljeerouiaer2345, on the other hand, its telepathic propensity flounders.”
The tool uses a database of real passwords chosen by users, such as those published after site breaches and artificial intelligence software. Users are advised to change passwords immediately if Telepathwords can “guess” them, according to NeoWin’s report.
“To guess the next character you’ll type, we send the characters you have already typed to query our prediction engine,” Microsoft says. “The prediction engine uses a database of common passwords and phrases that are too large for us send to your computer”.
The tool looks for characters that are commonly used next to one another in passwords, as well phrases used in web searches, Microsoft says.
The tool was created by researcher Stuart Schechter and shows, he says, that adhering to rules put in place to ensure “strong” passwords – such as a requirement for numbers or special characters – often leads to weak ones.
“A surprising number of passwords that follow these rules are easily guessed by malicious hackers: “P@$$w0rd1,” for example, or “Qwerty123!”. If you specify one of these passwords, most login systems won’t raise any objections,” he writes.
Schechter is a specialist in how human behavior affects security, and created the tool using publicly available data, with a view to examining what effect “rules” had on password choice. He describes the process of choosing a password as being like a “brainteaser” to the user, “Create a sequence of eight or more characters that includes at least one uppercase letter, one lowercase letter, a digit, and a symbol, that doesn’t contain any words in English, and that is memorable enough that you can recall it.”
Schechter says that such rules have “potentially serious implications” not just for users, but for entire organizations. He hopes his tool will help educate users in which passwords are genuinely secure, adhere to rules, and are easy to type.
The security of passwords chosen by users has been under discussion recently, after a breach of Adobe’s systems led to 38 million passwords being published online. Two million of these were “123456”.
Half a million craftier customers chose “123456789”, according to a report by The Register, quoting researcher Jeremi Gosni, a self-styled “password security expert” who found the passwords in a dump online.
Adobe initially said that three million accounts were affected, but has since raised that figure to 38 million, with another 150 million at risk.
The Register called the list of passwords “pathetic”, saying that it made their staff, “wonder if criminals should have bothered breaking in to steal them: with 1.9 million users relying on “123456” there’s a better than one in one hundred chance of unlocking an Adobe account with blind luck.”
ESET Senior Research Fellow David Harley says that in cases where a large site has been breached, even users with “strong” passwords are at risk – and should think carefully about other sites where they may have used the same password:“Where your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”
A We Live Security guide to some basic techniques for creating stronger passwords can be found here.
Author Rob Waugh, We Live Security