Preventing weak passwords by reading your mind

This is what the site Telepathwords proposes. This site estimates the strength of a password. The interesting part of this Microsoft Research site is the used heuristics.

After each dialed character, it attempts to guess what the next character. if it guessed right, then the character is considered as weak (indicated by a red cross). How does it guess the characters?

Telepathwords tries to predict the next character of your passwords by using knowledge of:

  • common passwords, such as those made public as a result of security breaches
  • common phrases, such as those that appear frequently on web pages or in common search queries
  • common password-selection behaviors, such as the use of sequences of adjacent keys

It considers the password strong if it has at least six non guessable characters.

Of course, the strength of the system relies on the richness of its dictionaries of common passwords and common phrases. Obviously, the game was to play with it. My first thought was that it would be purely English centric. Thus, I tried French and the first one was azerty. Azerty of course was weak. “abrutifrançais” (or French idiot) was a strong password even without the special character ç  “Je pense donc je suis” was also middle (as it guessed the end) . Let’s go further and switch to Latin. “CogitoErgoSum” was also weak as well as “venividivici”.  But “aleajactaest” was extremely robust!!

For the fun, I checked consistency with Microsoft Password Checker. The answers are not consistent. For instance, “CogitoErgoSum” turns out to be strong whereas “aleajactaest” is medium.

As always, it is always rather easy to trick this type of sites. Nevertheless, the site clearly explains that it will not detect all weak passwords, especially from languages other than English

Leave a Reply

Your email address will not be published. Required fields are marked *