'The form you submitted contained the following errors
Return to Previous Page'
I used your password checker here:
I notice that it has set the form field to hide my password as I type it, that there are two lock symbols next to the password box, and that the box is surrounded by a metallic looking image.
These factors would probably lead one to believe that you were treating my password with care, ensuring that it would only be relayed to yourselves and no-one else would be able to read it.
As an untrusting person, I typed something which is not one of my passwords into the box, just to see what would happen. When I submitted the form, my password was transmitted in clear text over the Internet, where it could be read by anyone who happened to be in a position to sniff traffic. This includes my office network!
For a site named 'Get safe online', this seems like the most incredible irony. I will be spreading the word that this site is utterly unsafe to visit, as it is unlikely that I have co-incidentally found the single problem.
I notice you advise people that a password 'like' 'SP1D3Rm@n' is secure. This is patently false as such a password is very simple to crack.
Again, this one issue I found, after choosing a single page to test, gives me a complete lack in confidence in the advice of the site. I will also be telling people not to heed advice found here.
Please get some real expert advice on security as the advice you are giving to others, and the problem[s] with your site are likely to cause real problems for people.
They seem like experts... experts in subtle verbal manipulation for those without technical understanding, at least that is how it reads for me.
Over years of archives, including the OP post, 'protect your family' continually appears as a headline. Monetisation is not explicitly outlined, it appears to be government or PPP funded.
Scare tactics, targeted at those probably less internet aware then the HN crowd, rather than education, appear to fund this website by whatever means.
And see how pixelated their main banner image is?
Not only bad grammar, but poor images. Really am ammeter website.
It also does work over https:
So I'm pretty sure this is just the fact they failed to setup the redirect. Rather than mocking them on Hacker News, we should just tell them they broke that part of their setup at some point and should fix it?
Tried to contact them, got a "The form you submitted contained the following errors
error which has nothing to do with the form I submitted. XD
Could someone contact them by their contact us page to get this fixed?
There are adverts everywhere about it with obvious government endorsement.
If they are doing statistical analysis on password, they'd have to send that information somewhere so I'm not surprised that they are.
"(Never enter your real password into a password checker, as unlike this one, some may be fake)"
From the page.
That's genius because scammers would never say something like that because that would be lying and people don't lie because it's naughty.
I'd agree but I don't think anyone who reads hacker news is likely to use a password checker anyway. We all, however, know less technical people who could and would get compromised by something like this and to have it endorsed by the government sends the message that it is safe. That's the problem as far as I'm concerned.
The cynic in me says that this is a deliberate effort to grab as many passwords as possible. It sounds outlandish, but what actions of our rogue agencies haven't been?
This looks like a good idea, poorly executed.
Occam's razor says you're right, but while they're busy accusing us all of criminal acts, we may as well do the same.
https://www.cyberstreetwise.com is the website UK government used to get people to send them their passwords.
I've tried a couple more times and not got it again. Anyone else see anything?
EDIT: The IP address reported by MalwareBytes is blocked, but I still don't know if it was just coincidence that the warning popped up a second or two after clicking that link. If anyone else experiences anything similar let me know.
Still it seems to me that this would be an awesome site to use as a watering hole for ensnaring naive web users, i.e. the kind who won't even notice when they are massively infected.
is ranked 93% Exceptional!
The Data Protection Act
Under the Data Protection Act, we have a legal duty to protect any information we collect from you. We use encryption software to safeguard your data, and keep strict security standards to prevent any unauthorised access to it.
There's a widespread misconception that words are always bad because of dictionary attacks, but that concern is moot if you use unique words or simply use a long sentence. A major advantage of sentences is that, because they're memorable, you can more easily use a different password for every site.
What I run into more frequently is that I have to click the 'Forgot password' link and reset it. Then I cross my fingers and wait to see if they email it back in plain text (this is unforgivable) so I can count the characters and learn what the max length is that way.
You could say the same thing about passwords using random characters. The problem isn't getting people to remember them, it's getting people to use random passwords/unique words in the first place. Telling people to "use a long sentence" will just result in them picking common sentences most of the time like "To be or not to be" or "Live long and prosper".
Now let's say you have a 4-word passphrase. There are about 120,000 words in English. There may be more if you include derivatives of words. That includes 2.0736e+20 combinations, not considering the entropy introduced by spaces between words or punctuation marks.
That's just to demonstrate the power of passphrases...but it's not quite a fair comparison; no one has such an expansive vocabulary. So, finally, let's assume that a dictionary attack includes 20,000 of the most commonly used words, and all of the user's words are common, by this standard.
The result is still 1.6e+17 -- again, not including spaces or punctuation: significantly more than an alphanumeric password.
If a site generates a password for the human it would result in a more even distribution of randomly-generated passphrases and reduce passphrase re-use across different sites. The human could then write it down or memorize it (or record it in their password manager, which defeats the purpose of using passwords entirely).
Passwords are mostly dead at this point, and more two-factor service providers need to pop up to prevent over-reliance on passwords. http://twofactorauth.org/
I bet that with a little work, you could come up with a list a few thousand long that would get most of the passwords people come up with like that.
For my memorable passwords, I switched to using  pass phrase generator, which comes up with much rarer words than I do off the top of my head.
You forgot using common sense: The number of words most people will actually choose to use is far fewer.
Why? Once you changed the word "password" to "passphrase", and get rid of those insane password requirements (must contains 1 upper case, 1 lower case, up to X length, 1 symbol, must not repeat same character twice or consecutively, etc), people start to use passphrase. But with enough attacks, you will build a passphrase table and people who use passphrase then will use the same passphrase on multiple sites which means it is the same as password and then site developers will come out and say "we will implement additional requirements - at least this length with these complexity".
A password which is 12 chars long and complex enough is hard to break. The problem is that people use the same password and credentials gets stolen every day. Can you trust random forums today running your password?
(It's the first letter of every word in that sentence.)
A sentance relevant to me that also refers to the site is easier for me to remember than random words. But perhaps I could make it longer... Use the kxcd idea too.
The entropy is huge unless/until everyone starts making 3 word passphrases the same way with very common words.
There can also be dictionary attacks on common passphrases, especially after a large site is compromised.
Lately I've been changing it up by offsetting my fingers on the keyboard.
Unfortunately each password/phrase input has different requirements and limits, and there's many different confusing help texts for explaining it. And it's frustrating to find out the limits after committing to memory and submitting.
What's a good, plainly written ux standard that we can advocate?
Can you recommend a password manager that works on all browsers/devices that you trust?
I have not found that yet, so I use passphrases customized to the site.
Edit: Also fundamentally it means that to access a single site from a compromised device, I'm potentially giving a nice list of all of my credentials.
1Password works on iOS, Android, and Mac (as confirmed by me) and they claim Windows, too. Browser-wise, I can confirm Chrome and Safari. That works for me, as it covers all of my use cases. YMMV, and it most certainly will if you're running Linux.
Downside: good $DEITY is it pricey by the time you cover all of your mobile devices and desktops. The amount of hassle it saves me probably pays for it, but covering all platforms at my house is bumping up against $100 (not including a couple of paid upgrades along the way).
It's in the Debian & Ubuntu repositories. It is also in the F-Droid repository for Android mobiles, so you can install and update easily from an AOSP ROM. All of the above are free and open-source which helps quite a bit with establishing trust. If you are among the majority using Windows or Mac it works there, too.
Sync it between devices by storing its (by default encrypted) database in a service like ownCloud or Dropbox.
Perhaps Microsoft, Apple, and Google could get together to build (or buy and open source) a password manager that would be integrated with their various platforms, for the common good. (I realize solutions already exist, but this would make it much more likely that the general public would use it.)
In their defense, it's stated pretty clearly that you shouldn't enter your real password and that this website allows you to test the "type of passwords" you use.
They could use the fact that it's over HTTP to teach a second lesson in the results page about HTTP vs HTTPS, and warn the user again that he/she should stopping using that password immediately.
"(Never enter your real password into a password checker, as unlike this one, some may be fake)"
The sentence is parenthetical, undermining it's importance, and it goes in two different directions, which makes it hard to follow. They should clearly advise users against entering their "real" password in one sentence, and then attest to the authenticity of their password checker in a separate sentence.
By the end of their sentence, it's hard to tell whether they mean that I shouldn't put my "real" password into other password checkers. The implication is that their password checker is real and safe. A clearer way to phrase it would be like this:
"Don't put your real password into this password checker."
Then they follow it up with "Why not get your family, friends and workmates to test their passwords too?"
And the placeholder in the input field is "Enter your password".
Most people wouldn't even know the mistake they've made and are probably sending the results link on too.
Capitalize the first letter of correct and battery. Then you get 100% :)
It's like kicking someone out of apartment. Yes, you know for sure they aren't anywhere in that apartment, but it still makes it harder to locate them in the city with high probability.
Those practices are meant to address the most common 'patterns' in human-generated passwords, therefore effectively enlarging the password space (any cracker has to enumerate more complicated patterns or brute-force, rather than the simple pattern that our brains would generate by defualt)
As a conservative estimate, let's assume passwords are only chosen from a set of 84 printable ASCII characters and users never choose passwords longer than 10 characters. (If users are using characters outside this set or longer passwords, they'll have more choices than we're estimating.)
All combinations, including the null password yield 17700847248605297701 combinations, or 63.94 bits of entropy if a password is chosen truly randomly from this set.
Restrict them to passwords at least 7 characters long, and that drops to 17700846893074759680, about 1.9e-9 bits less, still above 63.94 bits.
Further add the restriction that no two adjacent characters are the same and that drops to 15894480881247564960, or 63.78 bits.
Further force the user to use one digit and that drops to 11477476711812418840, or 63.32 bits.
For the sake of my time, I'm going to get a bit sloppy and start over-estimating the cost of restrictions. Further force the user to have at least one upper-case and one lower-case letter and that drops to (more than) 10727550596265784840 passwords, or 63.22 bits.
So, all of these restrictions together cost less than 0.72 bits of entropy. That an easy price to pay for eliminating large classes of trivial passwords.
It would take a desktop PC about A quadrillion years to crack your password
"Your password looks like it might just be a word and a few digits. This is a very common pattern and would be cracked very quickly."
46 quintillion years
password123; DROP TABLE PASSWORDS --
In all seriousness, among the http, the GET param, and the laughable entropy estimates, I wouldn't be surprised if they threw in an SQL injection vuln, a buffer overflow, and a couple of XSS vulns as Easter eggs.
1. They should not ask for any password first of all
2. They post the password to their server when they could have checked it on the client
3. The password is sent as GET meaning that it is in the URL and it will be recorded in your history and perhaps anything else that keeps log of the URLs you visit
Seriously this is wording on government site? I find it offending.
UK government does do some great IT stuff. This isn't one of those. UK gov also has some horrifically over-budget under-performing train wrecks of IT projects so I guess I should be glad that this isn't one of those.
They want the password on the server side purely for statistics or some other reason that has nothing to do with scoring how "secure" the password is.
I wouldn't trust this site at all with actual passwords.
how in living fuck is that a clever idea?
Gets 100% safe