

How secure is my password? - hasenj
http://howsecureismypassword.net/

======
tptacek
Donate. Donate! "Here's my password, and also five dollars." They are
literally getting people to _pay them_ to give up their passwords.

This is the best social engineering attack I've ever seen.

~~~
gdl
That was my first assumption too, but Wireshark doesn't show anything going
across the network as I type, and nothing that looks incriminating when I
click "donate" with text in the password box. It looks like it's entirely
client-side JavaScript as it claims to be. Kind of disappointing, actually.

edit: ...Unless it's clever enough to only be evil some fraction of the time.
I didn't actually check through the code.

~~~
hasenj
Theoretically, it could store the password in a cookie, and later retrieve it,
along with (somehow) a gmail id.

------
ahlatimer
To the people who are worried about giving up their password, who cares if he
gets them? Are passwords really even that worthwhile without being able to tie
them to some account on some site?

Let's say that one of my passwords is n0TMyR34lP4sSw0rD, and I enter that into
the site. So what? Now you have to guess my username on a site that I might
have an account on. Not to mention weeding through all the garbage from people
entering in random passwords just to see what the results are.

I understand that being proactive about security is a good thing, but I really
think the potential of this being successfully used maliciously is fairly non-
existent.

~~~
ElbertF
They could create a database with hashes of these passwords and compare them
with the recently leaked Gawker hashes. Not all of those passwords have been
cracked yet, especially the more complex ones.

------
WillyF
There's no way that I'm putting my password in there, but I did make up a
password that mimics mine to see how secure it is.

------
ElbertF
Why would "(^%$@^$%" take a minute to crack and "aaaaaaaa" 5 hours? Anyway,
nice try but I don't think I'll be giving you any of my actual passwords.

------
nelhage
I was _really_ hoping for something like "It would take N years to crack your
password ... but now I know it, so why bother?"

------
nonameacct
I am safe. "bobobobobobobobobobobobobobo" will take 8 octillian years.
Actually, same for "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"

~~~
jwegan
Well in all fairness those are probably pretty good passwords. I would guess
they are both extremely uncommon passwords. Furthermore any brute forcing
algorithm is probably going to leave trying all 28 character passwords for the
end since most people do not have passwords that long.

------
spicyj
The highest I could get by making up passwords was 565,892,495,532 nonillion
years…

------
jcitme
who knew that 'penis' was in the top 500?

~~~
tjarratt
I'm really doubting that "vagina" is in the top 500. They must be counting
these as basic dictionary lookups and discounting them that way. Any good
password cracker would definitely try a dictionary attack before brute force.

------
kpanghmc
Anyone else having a hard time reading the font on that page? It's not so bad
on the landing page since there's only a handful of words, but the FAQ
(<http://howsecureismypassword.net/faq/>) hurts my eyes.

------
ggordan
It would take "About 487,375 nonillion years" to crack my gmail password.

This made me smile

~~~
TeHCrAzY
Well, somewhat less time, now that you have entered it into a random page on
the internet :)

~~~
ggordan
Ah, no. I typed a password of the same length and same amount of lowercase,
uppercase, digits, and 'special characters'.

I was way too paranoid to type in my real password. As I've now come to
realise was everyone else.

I think the passwords you have on different services show how valuable that
service is to you. For me, my Google Account is the most important account i
have. It has a lot of information about me, and every other service I'm using.
If anyone gets my Google Account, they've basically got my whole online
identity. So because of that I try my best to make it safe. On the other hand,
my Facebook/Twitter account have nothing of value, so while I wouldn't like
them to get hacked, I don't feel the need to have a 28 character password.

------
hasenj
For the record, the site is not mine.

Obviously you shouldn't put your actual password there, just use the same
pattern.

If you want to test 'keh@8R2', replace it with something like 'mnk$6D3'

------
sukuriant
Hm .... is it really true that aardvarkstasteawesome would really take a
quadrillion years to find? Since that's 3 different words, wouldn't a
dictionary attack catch that one pretty fast?

Disclaimer: I've never, to my knowledge, eaten an aardvark. Also, this is not
my password anywhere.

