Hacker News new | comments | show | ask | jobs | submit login
How secure is my password? (howsecureismypassword.net)
10 points by hasenj 2558 days ago | hide | past | web | favorite | 22 comments

Donate. Donate! "Here's my password, and also five dollars." They are literally getting people to pay them to give up their passwords.

This is the best social engineering attack I've ever seen.

That was my first assumption too, but Wireshark doesn't show anything going across the network as I type, and nothing that looks incriminating when I click "donate" with text in the password box. It looks like it's entirely client-side JavaScript as it claims to be. Kind of disappointing, actually.

edit: ...Unless it's clever enough to only be evil some fraction of the time. I didn't actually check through the code.

Theoretically, it could store the password in a cookie, and later retrieve it, along with (somehow) a gmail id.

Now they need to come up with an excuse for people to create accounts on the site so that they get their usernames.

To the people who are worried about giving up their password, who cares if he gets them? Are passwords really even that worthwhile without being able to tie them to some account on some site?

Let's say that one of my passwords is n0TMyR34lP4sSw0rD, and I enter that into the site. So what? Now you have to guess my username on a site that I might have an account on. Not to mention weeding through all the garbage from people entering in random passwords just to see what the results are.

I understand that being proactive about security is a good thing, but I really think the potential of this being successfully used maliciously is fairly non-existent.

They could create a database with hashes of these passwords and compare them with the recently leaked Gawker hashes. Not all of those passwords have been cracked yet, especially the more complex ones.

There's no way that I'm putting my password in there, but I did make up a password that mimics mine to see how secure it is.

Why would "(^%$@^$%" take a minute to crack and "aaaaaaaa" 5 hours? Anyway, nice try but I don't think I'll be giving you any of my actual passwords.

I was really hoping for something like "It would take N years to crack your password ... but now I know it, so why bother?"

I am safe. "bobobobobobobobobobobobobobo" will take 8 octillian years. Actually, same for "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"

Well in all fairness those are probably pretty good passwords. I would guess they are both extremely uncommon passwords. Furthermore any brute forcing algorithm is probably going to leave trying all 28 character passwords for the end since most people do not have passwords that long.

The highest I could get by making up passwords was 565,892,495,532 nonillion years…

who knew that 'penis' was in the top 500?

I'm really doubting that "vagina" is in the top 500. They must be counting these as basic dictionary lookups and discounting them that way. Any good password cracker would definitely try a dictionary attack before brute force.

Anyone else having a hard time reading the font on that page? It's not so bad on the landing page since there's only a handful of words, but the FAQ (http://howsecureismypassword.net/faq/) hurts my eyes.

It would take "About 487,375 nonillion years" to crack my gmail password.

This made me smile

Well, somewhat less time, now that you have entered it into a random page on the internet :)

Ah, no. I typed a password of the same length and same amount of lowercase, uppercase, digits, and 'special characters'.

I was way too paranoid to type in my real password. As I've now come to realise was everyone else.

I think the passwords you have on different services show how valuable that service is to you. For me, my Google Account is the most important account i have. It has a lot of information about me, and every other service I'm using. If anyone gets my Google Account, they've basically got my whole online identity. So because of that I try my best to make it safe. On the other hand, my Facebook/Twitter account have nothing of value, so while I wouldn't like them to get hacked, I don't feel the need to have a 28 character password.

It also told me it would take "About 3 quadrillion years" to crack my password of 11111111111111111111111111.


For the record, the site is not mine.

Obviously you shouldn't put your actual password there, just use the same pattern.

If you want to test 'keh@8R2', replace it with something like 'mnk$6D3'

Hm .... is it really true that aardvarkstasteawesome would really take a quadrillion years to find? Since that's 3 different words, wouldn't a dictionary attack catch that one pretty fast?

Disclaimer: I've never, to my knowledge, eaten an aardvark. Also, this is not my password anywhere.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact