

How secure is my password - philliphaydon
https://howsecureismypassword.net/

======
jaachan
Easy test: If you type you password in on random sites, it's not secure at
all.

Also:

    
    
      momof3g8kids
    
      It would take a desktop PC about
      37 years
      to crack your password
    

But radix had that password (and thousands of others) in an hour[1]

[1] [http://arstechnica.com/security/2013/05/how-crackers-make-
mi...](http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-
out-of-your-passwords)

------
DanielStraight
Some tests:

    
    
      'badpassword' 10 days
      'bad1password' 37 years
      'bad password' 546 years
      'bad 1password' 333 thousand years
      'bad password 1' 18 million years
      'bad 123password' a billion years
    

As with all password checkers, there are problems here.

If you want a password checker, this one is still the best I've seen:
[http://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.htm...](http://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html)
(it correctly identifies all my above examples as terrible passwords)

But password security is much more about using bcrypt or scrypt (in case
someone gets your database) and having timeouts and lockouts on password entry
(to prevent brute-forcing through public channels).

------
rdl
My god, people would use this? I was hoping it was one of the sites where as
soon as you started typing, it flashed "wtf are you thinking you moron".

~~~
vsipuli
Obviously you shouldn't enter your real passwords there, but the site could
have a valid use for discovering the strength of passwords you would generate
for some hypothetical service that is actually not used.

~~~
laumars
It doesn't even have merit there because it's figures are completely wrong:

First of all it doesn't take into account GPU cracking techniques - in fact it
uses an average desktop PC as the processing power gauge (completely ignoring
that password crackers would be running on highly powerful systems bespokely
configured systems),

Next it doesn't take into account modern dictionary attacks - sometimes people
will have a seemingly secure password but it's actually a common term and thus
included in password dictionaries.

And to top it all off, there's no details about how long it would take against
different encryption cyphers (the best cyphers are designed to be
computationally expensive - but sadly a lot of sites are still using
SHA128/256, or worse yet, MD5).

It's rare that I'm this rude about other peoples projects, but that site is
total garbage. In fact it's worse than garbage because it deludes people into
thinking their passwords are secure when often they're not. It's alarming how
quick hackers can rattle off password attempts these days - to quote a recent
Ars article[1] " _Using a commodity computer with a single AMD Radeon 7970
graphics card, it took him 20 hours to crack 14,734 of the hashes, a
90-percent success rate._ " and that's an extremely low spec machine compared
to most.

[1] [http://arstechnica.com/security/2013/05/how-crackers-make-
mi...](http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-
out-of-your-passwords/)

------
Sunlis
This is questionable. If I enter 15 random alphabet characters, it gives me 49
years. 15 numbers is 2 days. 15 characters of punctuation is 743,000 years.

If the cracker was trying to brute force a password, then they would have to
try every available character in every valid position. Unless I'm
misunderstanding something, and n-length password would take a similar amount
of time to guess as any other n-length password with the same restrictions.
The cracker doesn't know going into it that I only have letters in my
password, so he has to use any valid character.

Perhaps a more useful system would be one that would let websites enter their
password restrictions and tell them how secure their users' password can be
with those restrictions.

~~~
laumars
_> The cracker doesn't know going into it that I only have letters in my
password, so he has to use any valid character._

Typically hackers will run through quicker combinations to pick off the low
hanging fruit. It doesn't matter if they can't crack a few hundred 15 char
characters with extended ANSI characters as by that point they'll already have
tens of thousands of passwords from others who's passwords contained less
entropy.

------
benmanns
I don't get the fascination with MD5 cracking speeds. If you use different
passwords for each site, a 7 character lowercase password would take 10 years
to exhaust the password-space if a site limits you to 20 attempts per second.
As long as you are using different, random passwords for each site, you can
just change for password for InsecureApp once InsecureApp gets hacked.

I think we should be educating people on using different passwords for
services rather than convincing them to use very long, complex passwords.

~~~
Sunlis
I use so many different services/sites that having a different password for
each one is unrealistic. Here's a small sample: Personal email, work email,
version control at work, Github, bank, university systems, personal computer,
work computer, Facebook, Hacker News, Reddit, Steam, Skype, ... I could go on.
In order to keep track of all of these unique passwords, I would need some
kind of protected database like 1Password [0] (which I do have), or a notebook
with them all written down. At this point, however, cracking/guessing a single
password or obtaining a physical notebook has given someone access to all of
my accounts.

What I typically do is give "important" services unique, random passwords
(bank, personal email, work email; things that can do damage), and use one of
a set of passwords for everything else. If one password gets found, then maybe
only my Reddit, Skype and a few forum accounts are compromised. This has the
advantage that I use the unique password frequently enough to memorize them,
and non-unique passwords are used in a few places which results in them also
being used enough that they are memorized.

[0] <https://agilebits.com/onepassword>

------
daker
a good way to create password dictionaries :D

------
impostervt
I'm not a password cracker, but from what I read, my test password of
"superman15" could probably be cracked a fair bit faster than 10 days, as
indicated by the site.

------
sirrocco
Most interesting feature of the site is the counting of years :). I got to 29
million nonagintillion years before I reached Infinity :).

------
andyhmltn
Good site! I recently switched all my passwords over from about 3 varieties of
a ~8 character string to ~30 characters that's unique (and easy to remember
for each site.) I'm unsure why it's taken me so long to realise that I could
have a super secure password like:

My name is bob smith from California USA and I am trying to login to: xxx

------
atoponce
'abcdefghijklmnopqrstuvwxyz' will take "48 quintillion years"! Sweet!

