Hacker News new | comments | show | ask | jobs | submit login

it's mostly good. NIST abolished their algo for pasword entropy estimation some time ago. i do not much like any password strength tests, most of which rate any number of terrible passwords as strong. as such i think they give a false sense of security. maybe consider cracklib.

as DenisM said, always use SSL for all traffic if security matters and don't trust SO for security advice.

The only really useful password strength test would be one that said "A stock Thinkpad would be able to brute force this password in $x hours and $y minutes."

Might make people think twice about that six character password.

How about a response that says "we just googled that combination of email address and the md5 hash of that password, it's been listed in at least 7 different database disclosures, including the Gawker one, the Sony one, and 5 different pr0n site compromises. We suggest using a different password here."


That is only useful if you also specify yhe conditions under which the "cracking" takes place. Do you mean on-line password guessing? Or do you mean brute-forcing a hashed password leaked from a database?

In case 1 a lock-out policy would quite easily negate your attack. In case two the hashing algorithm used is often more important than the length and complexity of the password (up to a point of course, but that point is nowadays well beyond what's pactical for a user)

I think you're expecting too much from users. They need to know what does "brute force"ing a password mean, what's a stock Thinkpad, and why it does matter.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact