The first time I heard of one, I thought, “What a great scam!” Just ask people to input their passwords and you’ll “test” the strength of said password.
But a password is only as strong as it is well protected. Hell, I could break into Fort Knox if they give me the key.
Even if there are genuine, ethically-run sites, isn’t it likely that someone will develop a site–or has already developed a site–that captures the tested password for nefarious purposes?
Please rate responses on a scale of one to five tinfoil hats, as to how paranoid I am. Also, please include your password(s) and the rating received from the link above.
Between bank websites, email websites, and messageboards, (not to mention all the places that require a password to post comments), how in the world would they know what website the password is for?
They would have to (successfully) send you a keylogger and a malicious cookie and then match what you gave them with all the websites you visit. That’s a lot of work compared to simply hacking a national corporation that fails to properly protect its customers’ sensitive information.
I would give you 5 tin-foil hats, and suggest that you input a test password that follows the same pattern as your real one.
I used “dj2323” which is a password I use on a couple of unimportant websites, and got this rating:
It would take a desktop PC about 0.544195584 seconds to crack your password.
I would never use such a site. Just make something with some special characters, numbers, and mixed-case letters, with nothing repeating or sequential, and that’s long enough. It can still be cracked but that’s all you can do. A web site has nothing to add.
The problem with these sites is that their calculations are bullshit. Despite a statement that “Your password looks like it could be a dictionary word or a name,” the site you mentioned cannot distinguish between words and random letter strings. Substituting a number into an eight-letter word buys you 11 minutes; capitalizing it gets you 3 hours; adding both gets you 15 hours; a symbol nets 33 minutes, but adding it to the above – 3 days.
Does anyone really believe that Sexier@7 is 5000 times as secure as ftyromba?
Good news. The password !äÖå"ö3Å%nÄb?å(ö&äÄ3Ö8 would take a desktop PC 257 octillion years to crack. Surely I will have changed my password by then anyway.
I love that XKCD. There are several sites I visit that have password rules (must use one capital, between 6-8 letter must use one $%*? etc etc.).
I’ve compared some of my own passwords to the pws I have to come up with for their sites and mine are better.
I think I picked up my strategy here. Take some phrase or lyric or poem or whatever and use the first letter of each word. I usually add some numbers as well.
towamfnwdwslhcsihswagahwohcimnwacicfi995610
…gets a 66 quindecillion years rating from the linked site (I agree that that site is not necessarily a true test of password strength) and its just a common limerick with the number of syllables in each line appended. Easy to remember and you get a chuckle every time you enter it.
ETA: correctbatteryhorsestaple gets a quintillionyears.
If you feel like using the site, don’t give it your password but a similar one. For example if your password was fsmith234 give it pjones473. Give it something with the same composition (same length if possibe), just different letters/numbers.
To improve dictionaries and rainbow tables. Which does contribute to the likelihood of your account being hacked at some point in the future. Especially if you reuse passwords, or similar passwords.
And I’d like to add: If I was the site operator I’ve also logged your IP when you gave me your password. Got any services running on your box that are reachable from outside? My automated process is sure gonna find out in short order. Remote desktop or SSH would be great goodies.
