Ever since I started that thread about passwords and an xkcd cartoon, I’ve been checking my new passwords, developed in xkcd-approved methods, in this password checker:
Our system made me chose a new password today. I thought for a bit, caeme up with a new one and plugged it in. Then tested it in the password checker and got this reassuring answer:
« It would tak a computer about 15 billion years to crack your password. »
Not quite as good as the heat death of the universe, but I can live with it.
I mean, I think this is probably trustworthy, but there is something inherently funny about a site that says “Enter your password here to test its security! We pinky-swear not to use it for anything bad.”
Then you use it on some website that gets hacked and poof…password is no good.
I did the XKCD method and had a really good password and Google now tells me it is on a hacked password list (not their words but basically what they said).
Tiny hole in that statement. It might hold if you use that computer without any upgrades the entire time. The trouble is there is no predicting what a computer will be able to do in 15 years, let alone 15 billion years.
At UberMegaCorp, one of our IT security guys got the bright idea to run a strength checker on the users’ passwords, and sort them from worst to best. He posted the results via company-wide email without actually reading it.
At the top of the list was the CEO, followed in almost perfect order by all the company execs. Obviously, this was corrected by forbidding any further strength-checking, and IT guy left the company shortly after to “pursue other interests”.
At our former bank (note: “former”), we were working with a loan officer on something. After some decisions, she turned to her computer and we watched her type in: “p-a-s-s-w-o-r-d” to enter the system.
We do have good passwords in our personal stuff, but I wonder if it’s really necessary. There’s so much low-hanging fruit for the “hackers”, I can’t imagine them wasting their time to figure out mine.
You can’t really know how strong a password is unless you also know the method used to generate the password. For instance, some folks come up with passwords by using patterns on the keyboard, like 1qaz2wsx3edc4rfv. If a password-strength checker didn’t know that some people use a method like that, then it might say “16 characters, uses both letters and numbers, doesn’t contain any dictionary words”, and conclude that it was very strong. But as soon as you get an attacker who does know or guess that you might have used that method, it’ll fall quickly.
As it happens, I had occasion to create a strong password a couple of days ago (setting up some financial stuff for my mom). So I made an 8x12 array containing every character that can be generated on a standard American keyboard, and rolled a d8 and a d12 to generate a character (there are actually only 95 such characters, but I figured a 1% chance of needing to re-roll was acceptable), and then repeated until I had 16 characters (I’m not precisely sure what the length limit was, but 16 should be enough). Given my method, I know exactly how big the pool of potential passwords is, and so know, on average, how many attempts it’ll take a brute force attack to get it (and I also know that nothing other than brute force will work). It’s still possible, of course, that the site I made that for uses a poor (i.e., easily-reversed) hash for the passwords, or stores them in plaintext or something similarly stupid, but that’s beyond my ability to control.
@Northern_Piper, are you talking about the “battery horse stapler correct” XKCD cartoon? I remember that one well. The problem with that is, most sites require some combo of number, special character, or cap, which ruins the wonderfully clean mnemonic.
Plus, I still wouldn’t remember an XKCD-worthy password. Was an aardvark approving of a nail in a papaya? No, that’s my Amazon password…
Also, I just had a scary thought: what if that security.org password strength detector linked in the OP is really a scam? What a perfect con job— tell users “your password wouldn’t be hacked for 15 billion years!”. Then collect the passwords and MAC addresses or whatever other sites use to track you, and connect the dots
By then they’ll be able to tickle you until you tell them all your passwords.
“Bzzzt, is your human-generated password ‘correct horse battery staple’?” “What?!? I’ve never even heard of xkc…ha, ha, stop that, hee heeee, okay, it is! Just stop!”
A solution to this concern is when a site does require that, simply append e.g. “1@” to your words. And always use e.g. “1@”. You can solve the need for mixed case with “Battery Horse” …
You get all the mnemonic and entropy benefit of your magic words, and fulfill the simple-minded “strength through character variety” screens.
itwasthebestoftimesitwastheworstoftimes gets me 12 undecillion years.
For my real passwords about 2 million. I don’t sweat this stuff. As long as I can remember it and it’s reasonably unguessable. If someone wants it, somebody’s gonna find a better way to get it, whether via a keylogger, phishing, or hack of the database perhaps. How strong my password is is pretty much immaterial at that point and does not keep me up at night or devising arcane systems to produce random passwords when a pseudorandom generator on a computer will work just as well for everyday work. I just pick two or three seemingly unrelated words, capitalize the first letter and add a number and exclamation point at the end to satisfy the password setting alogorithm.
The real threat is that your carefully crafted 20-billion-year-uncrackable password will be stored on someone else’s server with inadequate protection and closely associated with your identity information, so they the bad guys get everything in one swell foop. As @Whack-a-Mole said.
Or, that you neglect other critical security practices, like not reusing the same userid/password combination at multiple sites.
And this illustrates what I was saying about the method being important. Both of those are common phrases, which is one of the things that actual, real-world password checkers look for, with the result that an actual, real-world password checker would only take a few hours for both of those.
I’m guessing that that site just has a checklist of different kinds of characters, assumes that you’re drawing randomly from all characters of those types, and takes the number of characters of that type raised to the power of the total number of characters.
Who’s to say that the hacker won’t guess your password on day one instead of in 15 billion years? They could get lucky.
With two factor authorization (is that what it’s called? They text my cellphone a code) having a super strong password doesn’t seem that important anymore. A password alone won’t get you into my bank account. You’re welcome to hack my LinkedIn.
