
Show HN: How Secure Is My Password - azazqadir
https://howsecureismypassword.io/
======
gerard
I've seen some dark satire on HN lately. What I see here is another neat
implementation of an unconstructive idea, amusing for reflecting our flaws. We
really should know better than to share or encourage sharing passwords with
third parties. The same goes for CC details ("enter your CC and see if it's
been stolen"). The right place for a widget like this is on the signup or
change password page itself.

You've put forward a little risk/reward proposition where users are unable to
properly assess the risk. People love to be rated, that part's easy. You rely
on them to take your word on the site's affiliation, to not understand that
you can collect passwords despite saying otherwise, or vary the site's
behavior mod N, or cross-match fingerprint:password with
leaked/purchased/accumulated fingerprint:username data, and so on. They look
at it and think, 'looks legit'. It might well be, but the proposition is
unfair and its unconstructive to condition users to accept this type of trade-
off.

~~~
SanderSantema
Just to add to your comment:

A safe way to rate your password on MacOS is to use the Keychain Access app.
Generate a new password by pressing cmd-n and than fill in your current
password or a new password you'd like to use. It even includes a function to
automatically generate passwords, automatically generating passwords online
isn't something I'd like to do either. I either make them up from random text,
which I see online & offline, or I use the Keychain Access app.

Besides the native Keychain Access app all other decent third party password
managers include a way to automatically generate safe passwords. This makes
online tools redundant, unless they've been made with another purpose in mind
like practicing coding or possibly malicious intents.

------
ibdf
Why is something like "alksjdlq" or "alskjdlakjv" weak? Do brutal force
attacks focus on any combination of characters? or combination of known words?

If the password above is not a word, or a combination of words, or something
personal, and it's long enough... how is it not a strong password?

Also, if you five away what a strong password consists of (case, length,
characters, symbols) then doesn't that make it weaker because you give
bots/attackers a pattern to follow?

~~~
strkek
> Also, if you five away what a strong password consists of (case, length,
> characters, symbols) then doesn't that make it weaker because you give
> bots/attackers a pattern to follow?

I don't think it changes anything at all. Attackers won't ignore "dolphins"
just because a meter says it's weak.

Unless it's an actual limitation of the site where you're signing up, in which
case the culprit for the reduced search space would be the website for such
password limitations, not because the password strength meter.

------
astro_robot
Eh, I feel like this is pretty bland. It should incorporate a dictionary
attack database. For example, "password" should be considered way weaker than
any combination of letters. I would look at
[https://howsecureismypassword.net/](https://howsecureismypassword.net/) for
inspiration.

~~~
kbirkeland
Dropbox's zxcvbn[1] seems to do a good job of this along with detecting
sequences and keyboard patterns.

[1] [https://github.com/dropbox/zxcvbn](https://github.com/dropbox/zxcvbn)

------
detaro
_fhn4VBnJbeMBxx_ is apparently less safe than _Password1234!_

As is _keep peace there hello_ , randomly generated according to the XKCD
method.

Sorry, these things just can't work reliably.

------
teddyfrozevelt
This seems to just be a mixture of length and other criteria like a number,
upper and lowercase letters, and symbols. Even a 128 word password only gets a
6/10\. It should really score based on the entropy of the password.

------
vardump
This fails to consider long passphrases secure. Long passwords don't need
special characters, but this estimator is only happy once you use all
"character classes".

------
JakDrako
The scoring algo is pretty bad. You get 1 or 2 points for each characters
classes and some points for length (at lengths 7, 13, 16 and 21).

"AAaa11!!" scores nicely using this method (one "blip" from a perfect green
bar), but zxcvbn (from Dropbox) gives it a score of "1" with an estimated
crack time of 13 minutes.

------
stevekemp
Ironically the site itself is insecure - the link goes here:

[https://howsecureismypassword.io/](https://howsecureismypassword.io/)

But the SSL certificate is only valid for:

[https://www.howsecureismypassword.io/](https://www.howsecureismypassword.io/)

------
xori
Step 1: provide service to rate password

Step 2: provide links to share password strength on social media

Step 3: watch social media to correlate username and password based on time

Step 4: ???

Step 5: Profit

