Passwords – how secure is my password?

[update 09Feb2014]

Kudos to howsecureismypassword.net — I’ve just revisited their site, to discover that their home page now bears the disclaimer (and useful advice):

This site could be stealing your password… it’s not, but it easily could be. Be careful where you type your password.

I see also that there’s no longer a ‘privacy policy’ associated with this page, which I think is probably a good thing; an example of how, sometimes, less is more.

Original post follows…


[/update]

Here’s a thing (click on pic if you wish — I can’t stop you):

How secure is my password screenshotUseful…

… except that I’m a cynic.

There’s a ‘privacy policy’ link at the foot of the howsecureismypassword website’s home. What the privacy policy says is:

Is my password safe?

How Secure Is My Password uses JavaScript, which is a client side language – all the calculations are performed by your computer. This means that once you’ve loaded the site in your browser nothing else will pass between your computer and the server – nothing you type in leaves your computer. If you’d like to check this you can load the site and then turn off your internet connection – everything will continue to work.

Why doesn’t the site use HTTPS?

You won’t get a little padlock sign for this site, which means it’s not using HTTPS – an encrypted form of HTTP. This is because no information is passed between your computer and the server, so there’s nothing that needs encrypting.

Now, while all this is almost certainly absolutely more or less true (probably)…

… it could also be a lie, designed to put you at your ease. (I note that although the link to that page is labelled ‘privacy policy’, it doesn’t actually say a thing about howsecureismypassword.net’s policy towards your data. And the title of the ‘privacy policy’ page begins with the word ‘Donate’, which might suggest what’s uppermost in the designer’s mind. Is that telling? You tell me.)

There’s nothing that guarantees that ‘nothing else will pass between your computer and the server’ when your computer is connected to the Internet (disconnection being offered as the ‘proof’). Similarly, the dismissal of the lack of a padlock doesn’t actually prove a lack of transmission.**

This website could be a trojan horse, designed to capture your password (while doing its level best to convince you it’s not doing that).

I’m not saying it is. I’m saying it could be.

So by all means, use it to test text strings for their suitability as passwords…

… but if I were you, I wouldn’t use sites like this (nor even this) to test any (of the many*) passwords you actually use.

* You do use more than just one password for all your Internet stuphies, right?

** Incidentally, I have an earlier rant that touches on that blessed padlock.

Advertisements

About pendantry

Phlyarologist (part-time) and pendant. Campaigner for action against anthropogenic global warming (AGW) and injustice in all its forms. Humanist, atheist, notoftenpist. Wannabe poet, writer and astronaut.
This entry was posted in Communication, Computers and Internet, Education, Phlyarology, Strategy and tagged , , , , . Bookmark the permalink.

9 Responses to Passwords – how secure is my password?

  1. Martin_Lack says:

    Well said. Anyone who needs help in determining the strength of their password, probably needs help getting dressed in the morning. So, if you are silly enough to use a website like this, you deserve whatever grief you get.

    The principles of a secure password are not complicated – a mixture of letters and numbers; the longer the better. However, for those that are really paranoid you can make it much harder to break (and to use) if you make it case-sensitive.

    • pendantry says:

      *tries to bite tongue, fails* I think the getting dressed quip is a bit harsh, Martin. One of the problems I have with computer technology is the implicit assumption that you shouldn’t use it unless you know what you’re doing. If that were valid then — since nobody knows everything — none of us should use computers. (Sometimes I wonder whether that might not be a good idea anyway.)

  2. leavergirl says:

    I am with Martin. People who use 1234 as a password or need third party password checkers have a problem not adequately addressed by third party password checkers. Tee-hee.

    P.S. In all likelihood, it’s a trap. Who in their right (honest) mind would expend their programming energies on an effing password checker?!

  3. Pingback: Yet more clueless software design | Wibble

I'd love to hear what your views are!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s