Schechter, who studies the intersection of human behavior and computer security, is no stranger to debunking conventional wisdom about identity authentication. Several years ago, he and two collaborators wrote a paper revealing the risks of using \u201csecret questions\u201d as a secondary authentication measure when users need to reset a password.<\/p>\n
This time, with access to a huge store of publicly available data on password use and password-setting habits, Schechter and his colleagues\u2014Cormac Herley<\/a>, Bo-June (Paul) Hsu<\/a>, Ricky Loynd<\/a>, and former Microsoft Research intern and Carnegie Mellon University Ph.D. candidate Saranga Komanduri (opens in new tab)<\/span><\/a>\u2014have created a tool that detects password vulnerability while forsaking password-strength rules that have been in force for more than 30 years.<\/p>\n \u201cThe system doesn\u2019t ask the user to learn anything up-front or follow any specific rules,\u201d Schechter says. \u201cRather, as you type each key of your intended password, it displays the characters it thinks you\u2019re most likely to type next. If it succeeds in predicting one or more characters of the rest of your password, the evidence that these characters are predictable will be right in front of your eyes.\u201d<\/p>\n The user interface for Telepathwords makes it easy to assess the security of the password you’re considering.<\/p><\/div>\n Using Telepathwords feels similar to the autocomplete feature in search engines, except that it discourages you from following its predictions. Predictable characters don\u2019t do much to increase the security of your password against those who might try to guess it, so if you type one of the three characters predicted by Telepathwords, a red X will appear above it. If you choose a character that is not among those predicted by Telepathwords, a green checkmark will appear above it.<\/p>\n While not truly telepathic, Telepathwords is endowed with great deal of knowledge about how users choose passwords. It knows all the usual substitutions, such as substituting the dollar sign ($) for an S. Telepathwords also looks for passwords constructed by moving a finger around the keyboard, regardless of direction. It has an extensive list of known-popular passwords, as well as a dictionary of English words and a list of common phrases obtained from Microsoft\u2019s Bing (opens in new tab)<\/span><\/a> search engine. And it\u2019s wise to all sorts of tricks that users have devised\u2014and attackers have long recognized\u2014such as putting an asterisk between the letters of a familiar word.<\/p>\n Telepathwords also responds\u2014with a diplomatically worded pop-up message\u2014to passwords that rely on common substitutions or contain profanity, both of which attackers also are keenly aware.<\/p>\n The team tested Telepathwords with several hundred Microsoft employees who shared some of their favorite password-creation tactics to see if Telepathwords would detect them.<\/p>\n \u201cWe saw firsthand the tricks people use to construct passwords and then figured out which ones we should assume attackers also know,\u201d Schechter says. \u201cWe then refined the system to detect these ill-advised password-creation behaviors.\u201d<\/p>\n Even if Telepathwords succeeds in helping users choose passwords they can remember and are hard for others to guess, some users will still forget their passwords, and passwords too complex to guess can be stolen in other ways. Schechter, who joined Microsoft Research in 2007 after getting his Ph.D. from Harvard University and spending three years at the Lincoln Laboratory at the Massachusetts Institute of Technology, started working on the problem of what to do when passwords are lost or compromised shortly after joining Microsoft.<\/p>\n It used to be that if websites didn\u2019t have an email address at which a user could obtain a password-reset code, the gold standard for verifying a user\u2019s identity was to ask a so-called \u201csecret\u201d question\u2014such as \u201cwho\u2019s your favorite historical figure?\u201d or \u201cwhat\u2019s your favorite sports team?\u201d\u2014that the users answer when they first establish an account.<\/p>\n Stuart Schechter<\/p><\/div>\n Schechter, A.J. Brush<\/a>, and Microsoft Research intern Serge Egelman (opens in new tab)<\/span><\/a>, now a researcher at the University of California, Berkeley and the International Computer Science Institute, studied about two dozen of these questions<\/a>. They found that the answers to most were remarkably easy to predict.<\/p>\n It turns out that a lot of Americans admire the presidents they learned about in elementary school and root for their local sports teams. The few questions that didn\u2019t have predictable answers were forgotten too often.<\/p>\n The timing of that research project was impeccable. The week in 2008 that the researchers submitted their paper about secret questions, news outlets around the world reported that vice presidential candidate Sarah Palin\u2019s email account had been hacked. The weakness that enabled access to her account? The secret question about where Palin had met her husband, which was widely known to have been in high school in Wasilla, Alaska.<\/p>\n Schechter and his colleagues take the same intuitively simple approach to those common answers that they do with common passwords: Choose a different question if your answer is popular enough that an attacker is likely to guess it.<\/p>\n Their paper on secret questions led major providers of webmail and other high-value Internet services to start shifting away from the use of secret questions. Many augmented email-based verification with text messages sent to mobile phone numbers. Facebook adopted another approach pioneered by Schechter and colleagues: relying on users\u2019 trusted friends<\/a> and family members to verify their identity.<\/p>\n As for the question of whether password authentication soon will become obsolete, Schechter notes that such predictions have been around as long as passwords have been used online. He points to work by Herley and others<\/a> that documents the reasons why other technologies have failed to replace passwords and why they are unlikely to do so in the future. For example, credentials that you carry with you are easy to forget and, like passwords, can be stolen.<\/p>\n Schechter explains that as people start to log on to websites using email or social-media accounts, or to use a master password to keep their other passwords safe, they are increasing the importance of the passwords, which suddenly control even more resources.<\/p>\n \u201cYou can move all your eggs to one basket,\u201d he says, \u201cbut in the end, there\u2019s usually a password protecting that basket.\u201d<\/p>\n![\"Telepathwords\"](\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2016\/09\/Telepathwords.jpg\")
The free online research tool, launched December 5, is called Telepathwords (opens in new tab)<\/span><\/a>. Users can visit the project website and test the strength of their passwords\u2014current ones, past ones, or ones they\u2019re considering using.<\/p>\n![\"Telepathwords](\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2016\/09\/Telepathwords-user-interface.jpg\")
Managing Passwords\u2019 Flaws<\/h2>\n
![\"Stuart](\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2016\/09\/Stuart-Schechter.jpg\")
The End of Passwords?<\/h2>\n