
The most secure password - uncleleech
https://mostsecure.pw/
======
Freak_NL
There's not much point in complaining about joke websites (it presents just a
single password that is always the same) like this existing, simply because
statistically it is expected that some people will build them for a laugh.
They are harmful though, because some people enjoy spreading fake advice like
this; and often they will gain traction.

For the more ethically inclined amongst us the best course of action is
probably to add this 'password' to some of the lists of common passwords out
there, to help password strength utilities to filter it out on the level of
'correct horse battery staple' ­— an excellent password in itself, but used as
an oft quoted example and thus not suitable for actual use.

~~~
nyolfen
perhaps a better way to make this joke is to randomly generate a strong
password every time the page is loaded-- who's going to look at it more than
once anyway?

~~~
Eranmane
Maybe have it generate a new password seeded by a browser fingerprint. That
way it _looks_ like the joke works but it doesn't do any damage.

~~~
mnw21cam
Which would basically be a password that is randomly generated from very poor
quality entropy, giving almost as much insecurity as the current example,
while fooling even more people (because it changes). Nice idea.

~~~
simias
Generate a real strong password and store it in a cookie then.

Or just don't and leave it as a joke the way it is, I think we're over-
engineering this.

That being said there's an actual password generator "feature" in duckduckgo
for some reason:
[https://duckduckgo.com/?q=!password&t=ffab&ia=answer](https://duckduckgo.com/?q=!password&t=ffab&ia=answer)

I can't really imagine why anybody would want to use that though...

~~~
woodrowbarlow
what's wrong with using a password generator? or are you just saying that
having it built into a search engine is pointless?

------
prophesi
I think it'd be even better if they delved into the math behind why this
password is so secure. It should then become apparent that the site is satire,
and that the site doesn't randomly generate secure passwords.

Bonus points to only have the password below-the-fold so that those who aren't
going to read the explanation will be less likely to copy, paste, and carry
on.

Ideally, as mentioned in an earlier comment, the password could be seeded
through the browser's fingerprint to allow the joke to remain (it'll be the
same password upon refreshing) but still won't be as damaging for those who
don't get the joke (it's still not cryptographically secure).

~~~
lucb1e
Those are some very good points. I was also thinking "oh someone computed the
least likely password based on leaks, that's cool!" but it's just a static
page with some garbage in a box...

------
DannyB2
I just checked it using

[https://www.ssllabs.com](https://www.ssllabs.com)

And it gets a grade of A.

So that is definitely the password I'm going to use from now on!

Oh, and here's a useful function:

/* Returns a random integer that was determined by a fair roll of a dice. */

function randomInt() { return 4; }

~~~
sevensor
That's way more efficient than a Mersenne Twister, and just as random!

------
skybrian
It's a good joke, but a somewhat dangerous one.

The general principle is that humor does not scale. With enough users, the
probability that a joke will be misinterpreted approaches 1.

I'm reminded of Al Franken's latest book where he talks about having to run
what he says through the DeHumorizer now that he's a politician.

------
Bluestrike2
I laughed.

But then I thought about the users who don't know any better and might stumble
onto this site. They aren't stupid. They just don't know any better, and a lot
of education attempts can go over their heads. Worse yet, sites with poor
password policies (seemingly every online banking site in existence,
workplaces, sites with 16 character maximums, etc.) _reinforce_ bad practices
in their minds, while attempts at explaining the problems are forgotten. I'd
probably explicitly note that it's a joke, especially if someone tries to copy
the password. :)

------
kefka
Is this a joke? Because this is __already __added to password crack
dictionaries now...

If it is a joke, then they need something to indicate that, and very blatantly
at that. Because there's a great deal of people who'd see that and not give it
a second thought to use it.

------
markwaldron
I don't know about all of you, but I'm going to use H4!b5at+kWls-8yh4Guq for
my password everywhere. No way any of you will be able to crack it!

------
sr2
Even if this site was not a joke, I wouldn't trust an online password
generator, especially if the pass is generated on the backend instead of the
client. A quick Google for 'password generator' yields hundreds of these sites
which are more than likely run by the same outfit and are possibly logging the
passes into a database to make cracking various accounts easier.

There's a few PW generators which run on the client only and don't send any
requests to third parties, and I use them sometimes. They are typically very
JS heavy and use different seeds to generate sufficient entropy, like client
fingerprint, mouse co-ordinates, timezone, etc

~~~
svenfaw
If I'm not mistaken, using a Mersenne Twister in a secure application is a
really bad idea.

------
Grangar
This is irresponsible. Some developer's aunt will see this on facebook and
actually use it.

~~~
DannyB2
I think that is unlikely.

Much more likely: a manager will issue a corporate directive that everyone
must begin using this password at once.

------
kangnkodos
They typed in hunter2, but all I see is * * * * * * *.

~~~
kcanini
classic

------
chasil
Here is what I use (notice that I omit zero and the letter O):

$ ./LinPass.sh luser

xTJ2B2X3

$ ./LinPass.sh luser

JzILD3qd

$ ./LinPass.sh luser

IzlXki81

$ cat LinPass.sh

#!/bin/bash

id "${1}" > /dev/null

if [[ $? -ne 0 || -z "${1}" ]]

then echo -e "Usage: $0 logname [pw]\n\treset logname's pw & force chg"

    
    
         exit
    

fi

if [[ -z "${2}" ]]

then while [[ $pw != [A-NP-Za-np-z]* ]] || # Begins with a letter

    
    
               [[ $pw != *[1-9]* ]] ||           # Has a number
    
               [[ $pw == *[^A-NP-Za-np-z1-9]* ]] # Has nothing else
    
         do pw=$(openssl rand -base64 6)         # Safe random source
    
         done
    

else pw="${2}"

fi

#echo "${pw}" | passwd --stdin "${1}"

#chage -d 0 "${1}"

echo "${pw}"

#[http://brandonhutchinson.com/wiki/Linux_Password_Policy](http://brandonhutchinson.com/wiki/Linux_Password_Policy)
#chage -m 7 -M 90 -W 14 hutchib; #chage -M 85 -W 5 -I 5 "${1}"

------
evilDagmar
Unamused. If anything, ambiguous characters should have been excluded. It's a
very small reduction of keyspace in exchange for not entering the wrong
passwords because of glyph similarities.

Either you're expected to remember these 20-character monstrosities (which is
going to be beyond the abilities of most people with 5+ accounts), or more
likely you're going to be reading them from a password manager.

Being ISO-compliant is all well and good, but it's been shown many, many times
that making password restrictions this extreme causes more problems than it
solves.

------
Kaotique
This is an absolutely terrible idea. At least randomly generate a new password
every time you visit the page.

Any internet noob searching for the most secure password might actually use
it.

~~~
recursive
If it was different every time you visited, how could you retrieve your
password if you forgot it?

~~~
Schizotypy
Lmao, yes

------
tillinghast
I think this is brilliant. Culling the herd.

------
dheera
... and then there are stupid websites like Baidu which limit your password to
16 characters.

------
brunoalano
Those names doesn't exist. So, it's really a joke

------
dddw
this one is better: [https://passweird.com/](https://passweird.com/)

------
trumbitta2
No spaces? Not secure enough. ( :p )

~~~
astrodust
They should allow emoji and non-breaking spaces in passwords.

~~~
DannyB2
Please don't use emoji in passwords until UTF-128 comes out.

Half of its code points (2 ^ 64) will be characters whose glyphs are every
possible combination of 8x8 bit images. That way you can make monochrome
graphics simply with rows and rows of adjacent characters in the enormous
sized UTF-128 font.

And imagine how many emojis there will be? There would more than one emoji for
every human who has ever lived.

In short, we'll have really safe passwords using characters from UTF-128. So
be patient. ;-)

------
edgesrazor
H4!b5at+kWls-8yh4Guq it is then!

~~~
imron
0118 999 881 999 119 7253

~~~
SAI_Peregrinus
PolygonPlywoodBrimNibbleUndertow,UnderrateFaxCliqueBribeUnhappily4

EFF Diceware FTW. >128 bits of entropy there. Has uppercase, lowercase, a
number, and a symbol to satisfy misguided password strength rules. Being a
passphrase it's much more memorable than simple passwords. Clearly this
passphrase is the best.

~~~
lucb1e
I'd rather append 0A! to passphrases to satisfy silly requirements instead of
capitalizing Every Single Word (impossible to type at speed) and inserting a
symbol at a random place. This looks a little troubador-sy.

