Microsoft's Telepathwords guesses (parts of) passwords that you type

Martin Brinkmann
Dec 11, 2013

If you have been using the Internet for some time, you know that password security is a serious issue nowadays.

It is not a single issue though, as multiple come into play here. Many users prefer easy to remember passwords, as it makes it easier for them to sign in to websites and services.

To make matters worse, it is fairly common that the same password is used across all services and websites, as it is more convenient than having to remember multiple passwords.

Password managers can resolve those issues easily, but they are not as commonly used as they should be.

This means that hacked accounts, either by guessing, social engineering, man-in-the-middle attacks or other spyware are fairly common,

Microsoft's Telepathwords website has been designed to highlight how easy it is to guess part of passwords based on the characters a user enters.

To use the service, simply start entering a password. It does not have to be one that you use actively though, and there are certain limitations but more about that later.

Once you type the first character, three guesses are displayed what the next character or characters will be.

If you start with A, Microsoft's tool suggests the characters N as in and, B as in abc123 and T as in At as the most likely choice.

The tool supports more than though. It understands that numbers are sometimes used to replace words or letters, 1 and one for example, or 3 and e, and will include those in its suggestions.

While it is fairly sophisticated in that, it falls short if you use passwords that do not relate to common words or use common letter or word substitution techniques. A password like j09j2fj2hf2jfß2jfß2j_erhf0284hr cannot be guessed by Telepathwords no matter how good the engine is.

There are other situations where the outcome is far from ideal: if you are using words that mean something to you, but that are not available to the service. A nickname for example, the name of your school, or your license plate. That does not mean that those are secure on the other hand as the site points out, as they can be guessed by attackers that know you, or gathered through social engineering. It also works only for English words and not other languages.

Closing Words

The main use of the web app is to visualize if the password that you enter can be guessed by attackers based on the first characters that you enter.

Someone could get a glimpse of a password while you enter it in a coffee shop on your laptop, at work, or at any other public location.

Sometimes, these letters may be enough to guess the full password, or make brute forcing attempts a lot easier.

If you are already using a password manager, then the program does not have a lot to offer to you, especially if you are using its password creation module to create secure passwords.

Now Read: KeePass password manager review


Previous Post: «
Next Post: «


  1. rickxs said on December 13, 2013 at 12:09 am

    gee you guys are paranoid about password theft ! —- who said that

  2. InterestedBystander said on December 12, 2013 at 5:46 pm

    Well, you don’t have to type in your REAL passwords. If you use keyboard patterns, check a similar pattern to see how it holds up. Or if you insert special characters in words, use a different word and different sequence of characters. Be creative, guys!

  3. B. Moore said on December 11, 2013 at 9:16 pm

    There is NO WAY in hell I am typing ANY PART of my password in to any text box that isn’t the exact place that password is needed.

    I don’t care who runs the site or if they are making guess from only 1 character, I am not taking any chances.

    1. imu said on December 11, 2013 at 11:01 pm

      holy truth imagine the base of possible passwords they will learn this way,that would be enough to make nice fat dictionary out of it and then bruteforce the internet with it :)

      1. insanelyapple said on December 12, 2013 at 8:39 am

        And then, they can give that dictionary to NSA still claiming that they want privacy reform.

  4. Dan said on December 11, 2013 at 5:45 pm

    What’s the point of this if it only “guesses” one character in common passwords like “123456” or “password”. If we are to believe that less correct guesses equals a stronger password, then Microsoft knows nothing about security.

    1. Martin Brinkmann said on December 11, 2013 at 5:48 pm

      Well it has been designed for users who use common passwords, or common words in their passwords, to show them that they can be easily guessed.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.