Show HN: How Secure Is My Password
howsecureismypassword.ioI've seen some dark satire on HN lately. What I see here is another neat implementation of an unconstructive idea, amusing for reflecting our flaws. We really should know better than to share or encourage sharing passwords with third parties. The same goes for CC details ("enter your CC and see if it's been stolen"). The right place for a widget like this is on the signup or change password page itself.
You've put forward a little risk/reward proposition where users are unable to properly assess the risk. People love to be rated, that part's easy. You rely on them to take your word on the site's affiliation, to not understand that you can collect passwords despite saying otherwise, or vary the site's behavior mod N, or cross-match fingerprint:password with leaked/purchased/accumulated fingerprint:username data, and so on. They look at it and think, 'looks legit'. It might well be, but the proposition is unfair and its unconstructive to condition users to accept this type of trade-off.
Just to add to your comment:
A safe way to rate your password on MacOS is to use the Keychain Access app. Generate a new password by pressing cmd-n and than fill in your current password or a new password you'd like to use. It even includes a function to automatically generate passwords, automatically generating passwords online isn't something I'd like to do either. I either make them up from random text, which I see online & offline, or I use the Keychain Access app.
Besides the native Keychain Access app all other decent third party password managers include a way to automatically generate safe passwords. This makes online tools redundant, unless they've been made with another purpose in mind like practicing coding or possibly malicious intents.
Why is something like "alksjdlq" or "alskjdlakjv" weak? Do brutal force attacks focus on any combination of characters? or combination of known words?
If the password above is not a word, or a combination of words, or something personal, and it's long enough... how is it not a strong password?
Also, if you five away what a strong password consists of (case, length, characters, symbols) then doesn't that make it weaker because you give bots/attackers a pattern to follow?
> Also, if you five away what a strong password consists of (case, length, characters, symbols) then doesn't that make it weaker because you give bots/attackers a pattern to follow?
I don't think it changes anything at all. Attackers won't ignore "dolphins" just because a meter says it's weak.
Unless it's an actual limitation of the site where you're signing up, in which case the culprit for the reduced search space would be the website for such password limitations, not because the password strength meter.
Eh, I feel like this is pretty bland. It should incorporate a dictionary attack database. For example, "password" should be considered way weaker than any combination of letters. I would look at https://howsecureismypassword.net/ for inspiration.
Dropbox's zxcvbn[1] seems to do a good job of this along with detecting sequences and keyboard patterns.
fhn4VBnJbeMBxx is apparently less safe than Password1234!
As is keep peace there hello, randomly generated according to the XKCD method.
Sorry, these things just can't work reliably.
This seems to just be a mixture of length and other criteria like a number, upper and lowercase letters, and symbols. Even a 128 word password only gets a 6/10. It should really score based on the entropy of the password.
This fails to consider long passphrases secure. Long passwords don't need special characters, but this estimator is only happy once you use all "character classes".
The scoring algo is pretty bad. You get 1 or 2 points for each characters classes and some points for length (at lengths 7, 13, 16 and 21).
"AAaa11!!" scores nicely using this method (one "blip" from a perfect green bar), but zxcvbn (from Dropbox) gives it a score of "1" with an estimated crack time of 13 minutes.
Ironically the site itself is insecure - the link goes here:
https://howsecureismypassword.io/
But the SSL certificate is only valid for:
Step 1: provide service to rate password
Step 2: provide links to share password strength on social media
Step 3: watch social media to correlate username and password based on time
Step 4: ???
Step 5: Profit