Hacker News new | comments | show | ask | jobs | submit login
UK government's password checker sends plaintext password in the URL over HTTP (getsafeonline.org)
226 points by markhemmings 1292 days ago | hide | past | web | favorite | 114 comments



This is what I wrote in their 'Contact' form, which returned an error:

'The form you submitted contained the following errors Missing Data.(DIFFERENT_IP) Return to Previous Page'

I used your password checker here:

http://www.getsafeonline.org/themes/passwrdcheck/index.html

I notice that it has set the form field to hide my password as I type it, that there are two lock symbols next to the password box, and that the box is surrounded by a metallic looking image.

These factors would probably lead one to believe that you were treating my password with care, ensuring that it would only be relayed to yourselves and no-one else would be able to read it.

As an untrusting person, I typed something which is not one of my passwords into the box, just to see what would happen. When I submitted the form, my password was transmitted in clear text over the Internet, where it could be read by anyone who happened to be in a position to sniff traffic. This includes my office network!

For a site named 'Get safe online', this seems like the most incredible irony. I will be spreading the word that this site is utterly unsafe to visit, as it is unlikely that I have co-incidentally found the single problem.

I notice you advise people that a password 'like' 'SP1D3Rm@n' is secure. This is patently false as such a password is very simple to crack.

Again, this one issue I found, after choosing a single page to test, gives me a complete lack in confidence in the advice of the site. I will also be telling people not to heed advice found here.

Please get some real expert advice on security as the advice you are giving to others, and the problem[s] with your site are likely to cause real problems for people.


I did a WHOIS, and seeing a domain registration date back to 2005 gave an air of credibility. So then I visited Internet Archive and browsed several pages https://web.archive.org/web/20080701000000*/http://getsafeon...

They seem like experts... experts in subtle verbal manipulation for those without technical understanding, at least that is how it reads for me.

Over years of archives, including the OP post, 'protect your family' continually appears as a headline. Monetisation is not explicitly outlined, it appears to be government or PPP funded.

Scare tactics, targeted at those probably less internet aware then the HN crowd, rather than education, appear to fund this website by whatever means.


"We have short time to beat powerful computer attack"

And see how pixelated their main banner image is?

Not only bad grammar, but poor images. Really am ammeter website.


Here's an "ammeter" website for you: ammeters.compare99.com


spell-check strikes again (dang keyboard!)


Yes this is terrible...but it isn't the "UK Government" its a private corporation as per: https://www.getsafeonline.org/about-us/

It also does work over https: https://www.getsafeonline.org/themes/passwrdcheck/index.html

So I'm pretty sure this is just the fact they failed to setup the redirect. Rather than mocking them on Hacker News, we should just tell them they broke that part of their setup at some point and should fix it?

EDIT:

Tried to contact them, got a "The form you submitted contained the following errors

Missing Data.(DIFFERENT_IP)"

error which has nothing to do with the form I submitted. XD

Could someone contact them by their contact us page to get this fixed?


> Get Safe Online is a jointly funded initiative between several Government departments and private sector businesses. In fact, we are the Government’s preferred online security advice channel.

There are adverts everywhere about it with obvious government endorsement.

It's not just that they send it over HTTP. It shouldn't send it anywhere, it should all be done client-side with JavaScript. It's more than "you made a little mistake" it's "who are you to tell people what is, or isn't, secure when you can't even manage the basics?"


I'm not from the UK and I never believe anything a company puts on its about us page. ;)

If they are doing statistical analysis on password, they'd have to send that information somewhere so I'm not surprised that they are.

Anyone who is concerned about security shouldn't be giving their password to a 3rd party to verify [even via a javascript webpage] for any reason.

Also: "(Never enter your real password into a password checker, as unlike this one, some may be fake)" From the page.


I give this site to people so they can check the strength of their twitter password. I think it get's the point across. http://www.ismytwitterpasswordsecure.com


> Also: "(Never enter your real password into a password checker, as unlike this one, some may be fake)" From the page.

That's genius because scammers would never say something like that because that would be lying and people don't lie because it's naughty.


I read that and concluded they meant "Do not use a real password on this site"


> Anyone who is concerned about security shouldn't be giving their password to a 3rd party to verify [even via a javascript webpage] for any reason.

I'd agree but I don't think anyone who reads hacker news is likely to use a password checker anyway. We all, however, know less technical people who could and would get compromised by something like this and to have it endorsed by the government sends the message that it is safe. That's the problem as far as I'm concerned.


It is done client side with javascript, in the results.js on the results page. If they'd put it on the original page, it would all have been client side. The only reason I can think of for doing it this way is statistics collection for later.


It IS "UK Government" - it's a QUANGO, so they can keep it at arms length and wash their hands of it, but be under no illusions, this is a government led initiative for which they ultimately, if not in practice, bear responsibility.

The cynic in me says that this is a deliberate effort to grab as many passwords as possible. It sounds outlandish, but what actions of our rogue agencies haven't been?


That would be a waste of resources given the chances of a real criminal testing his/her password strength on a government-operated website are very remote. Even then, they would have to invest in marketing to get people to actually use it when, we all know now, the GHCQ/NSA can simply collect everything at critical infrastructure points.

This looks like a good idea, poorly executed.


You think they're after "real criminals"? Tell me, what is this "real criminal" of what you speak? Is it someone who disagrees with the edicts of the state? Is it someone who has the wrong skin colour?

Occam's razor says you're right, but while they're busy accusing us all of criminal acts, we may as well do the same.


I just called who I think is the head of the site, a little ironic that the head of a site that is funded by the government to educate how to secure ones privacy online publishes his mobile number in the WHOIS data for said site, he asked me to email him with my concerns, which I have now done.


Even over HTTPS it wouldn't be secure. The password is in the URL so would be stored in the users browser history, and possibly also web-server logs and sent as referrer headers with assets on the secured page.


If you do visit the https version of the page, some of the links back to page still have a hard coded http:// instead of https://


True, ish, they are very much involved.

https://www.cyberstreetwise.com is the website UK government used to get people to send them their passwords.


So this may be a coincidence, but I just followed that link and got a warning from malwarebytes about a malicious website trying to connect to my computer.

I've tried a couple more times and not got it again. Anyone else see anything?

EDIT: The IP address reported by MalwareBytes is blocked, but I still don't know if it was just coincidence that the warning popped up a second or two after clicking that link. If anyone else experiences anything similar let me know.

Still it seems to me that this would be an awesome site to use as a watering hole for ensnaring naive web users, i.e. the kind who won't even notice when they are massively infected.


Just sent an email to their WHOIS contacts.


They're on twitter too @GetSafeOnline


This is the same government that thought they could "block all porn" on the internet?


What a wonderful tool:

http://www.getsafeonline.org/themes/passwrdcheck/results.htm...

Password12345

is ranked 93% Exceptional!


It's great that the results page has the password right in the URL as a GET variable. Makes it much easier to share it on Facebook.


  The Data Protection Act

  Under the Data Protection Act, we have a legal duty to protect any information we collect from you. We use encryption software to safeguard your data, and keep strict security standards to prevent any unauthorised access to it.
I'm lost for words.


We should stop using the term "password" and start emphasizing passphrases. A full sentence is much easier to remember, yet harder to crack, than a shorter, cryptic password. Or, as XKCD put it: http://xkcd.com/936/

There's a widespread misconception that words are always bad because of dictionary attacks, but that concern is moot if you use unique words or simply use a long sentence. A major advantage of sentences is that, because they're memorable, you can more easily use a different password for every site.


I completely agree, but too many websites put upper limits on the password length (which is completely idiotic) to be able to do this in practice.


I agree. It is frustrating when websites place arbitrary limits on characters in a passphrase. It's even more frustrating when they add specific rules (e.g. must use at least one number) that actually lower the number of possible combos in the string.


The worst annoyance for me is when they accept my 32+ character password - which I generate and paste from a password manager - and then they silently truncate it to a shorter length! No error, nothing. I remember hearing about some services that did this but the longer passwords still worked, which gave users a false sense of security.

What I run into more frequently is that I have to click the 'Forgot password' link and reset it. Then I cross my fingers and wait to see if they email it back in plain text (this is unforgivable) so I can count the characters and learn what the max length is that way.


Well, how would they fit the passwords in the database if there was no limit? =)


Please tell me this is sarcasm [0]. I assume from the emoticon that it is.

[0] http://en.wikipedia.org/wiki/Poe's_law


Just truncate to the first 10 characters of course.


> but that concern is moot if you use unique words

You could say the same thing about passwords using random characters. The problem isn't getting people to remember them, it's getting people to use random passwords/unique words in the first place. Telling people to "use a long sentence" will just result in them picking common sentences most of the time like "To be or not to be" or "Live long and prosper".


Well, let's say you have a 5-digit password made up of letters and numbers. That's 60466176 combinations.

Now let's say you have a 4-word passphrase. There are about 120,000 words in English. There may be more if you include derivatives of words. That includes 2.0736e+20 combinations, not considering the entropy introduced by spaces between words or punctuation marks.

That's just to demonstrate the power of passphrases...but it's not quite a fair comparison; no one has such an expansive vocabulary. So, finally, let's assume that a dictionary attack includes 20,000 of the most commonly used words, and all of the user's words are common, by this standard.

The result is still 1.6e+17 -- again, not including spaces or punctuation: significantly more than an alphanumeric password.


It really doesn't matter how much entropy exists because password crackers do not use linear keyspace searches, they use advanced heuristics to guess the most likely possibilities first. The major flaw in passwords is that humans choose them and humans are fairly predictable.

If a site generates a password for the human it would result in a more even distribution of randomly-generated passphrases and reduce passphrase re-use across different sites. The human could then write it down or memorize it (or record it in their password manager, which defeats the purpose of using passwords entirely).

Passwords are mostly dead at this point, and more two-factor service providers need to pop up to prevent over-reliance on passwords. http://twofactorauth.org/


I think even the 20k most common estimate is way high. Think up some words yourself, and look them up in a frequency list. Most of the stuff I came up with of the top of my head was around 4-6k down the list. Look down to 20k and you get stuff like decorum, decked, daylights, daybreak, etc. When was the last time you heard anybody use those in a conversation?

I bet that with a little work, you could come up with a list a few thousand long that would get most of the passwords people come up with like that.

For my memorable passwords, I switched to using [0] pass phrase generator, which comes up with much rarer words than I do off the top of my head.

[0] http://www.fourmilab.ch/javascrypt/pass_phrase.html

[1] http://www.wordandphrase.info/frequencylist.asp

[2] http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists


> There are about 120,000 words in English [...] That includes 2.0736e+20 combinations

You forgot using common sense: The number of words most people will actually choose to use is far fewer.


It sounds like you stopped reading my comment after the first paragraph. I later accounted for the reality that people have limited vocabularies.


It's pretty unfair to compare against a 5-digit password.


Not really. The question was whether words are more or less secure for a given level of ease of memorisation. I'd say 5 random characters are about as easy to memorise as 4 random words.


No, we should come up with something that works better than either, and is more usable. Passwords suck. Does anyone here seriously think we'll still be using them 50 years from now?


I see no difference behind the glory.

Why? Once you changed the word "password" to "passphrase", and get rid of those insane password requirements (must contains 1 upper case, 1 lower case, up to X length, 1 symbol, must not repeat same character twice or consecutively, etc), people start to use passphrase. But with enough attacks, you will build a passphrase table and people who use passphrase then will use the same passphrase on multiple sites which means it is the same as password and then site developers will come out and say "we will implement additional requirements - at least this length with these complexity".

A password which is 12 chars long and complex enough is hard to break. The problem is that people use the same password and credentials gets stolen every day. Can you trust random forums today running your password?


I agree! I've been using passphrases for about 12 years, but in this form:

Ia! Ibupfa1y,bitf:

(It's the first letter of every word in that sentence.)

A sentance relevant to me that also refers to the site is easier for me to remember than random words. But perhaps I could make it longer... Use the kxcd idea too.

The entropy is huge unless/until everyone starts making 3 word passphrases the same way with very common words.

There can also be dictionary attacks on common passphrases, especially after a large site is compromised.

Lately I've been changing it up by offsetting my fingers on the keyboard.

Unfortunately each password/phrase input has different requirements and limits, and there's many different confusing help texts for explaining it. And it's frustrating to find out the limits after committing to memory and submitting.

What's a good, plainly written ux standard that we can advocate?


Using a password manager


Yes, even better.

Can you recommend a password manager that works on all browsers/devices that you trust?

I have not found that yet, so I use passphrases customized to the site.

Edit: Also fundamentally it means that to access a single site from a compromised device, I'm potentially giving a nice list of all of my credentials.


> Can you recommend a password manager that works on all browsers/devices that you trust?

1Password works on iOS, Android, and Mac (as confirmed by me) and they claim Windows, too. Browser-wise, I can confirm Chrome and Safari. That works for me, as it covers all of my use cases. YMMV, and it most certainly will if you're running Linux.

Downside: good $DEITY is it pricey by the time you cover all of your mobile devices and desktops. The amount of hassle it saves me probably pays for it, but covering all platforms at my house is bumping up against $100 (not including a couple of paid upgrades along the way).


I can recommend KeePassX.

It's in the Debian & Ubuntu repositories. It is also in the F-Droid repository for Android mobiles, so you can install and update easily from an AOSP ROM. All of the above are free and open-source which helps quite a bit with establishing trust. If you are among the majority using Windows or Mac it works there, too.

Sync it between devices by storing its (by default encrypted) database in a service like ownCloud or Dropbox.


Google Sheets


One problem with this is that most people are typing passwords on phones now, so the longer they are, they more annoying they are to type in. (Although I suppose word completion would help with a passphrase. Although for security it probably shouldn't be enabled for password fields.) Anyway, the real solution is a password manager with unique random sequences of characters for passwords.

Perhaps Microsoft, Apple, and Google could get together to build (or buy and open source) a password manager that would be integrated with their various platforms, for the common good. (I realize solutions already exist, but this would make it much more likely that the general public would use it.)


(Never enter your real password into a password checker

In their defense, it's stated pretty clearly that you shouldn't enter your real password and that this website allows you to test the "type of passwords" you use.

They could use the fact that it's over HTTP to teach a second lesson in the results page about HTTP vs HTTPS, and warn the user again that he/she should stopping using that password immediately.


If the sentence you quoted were the one that they used, I would agree with you that it was stated clearly. Unfortunately, they chose to word it this way:

"(Never enter your real password into a password checker, as unlike this one, some may be fake)"

The sentence is parenthetical, undermining it's importance, and it goes in two different directions, which makes it hard to follow. They should clearly advise users against entering their "real" password in one sentence, and then attest to the authenticity of their password checker in a separate sentence.

By the end of their sentence, it's hard to tell whether they mean that I shouldn't put my "real" password into other password checkers. The implication is that their password checker is real and safe. A clearer way to phrase it would be like this:

"Don't put your real password into this password checker."


But their reasoning for not entering your real password into a checker is "...unlike this one, some may be fake"

Then they follow it up with "Why not get your family, friends and workmates to test their passwords too?"

And the placeholder in the input field is "Enter your password".


And immediately after they tell you not to enter your real password, they say "Why not get your family, friends and workmates to test their passwords too?"


It's implied at first glance that it's for testing your password though.

Most people wouldn't even know the mistake they've made and are probably sending the results link on too.


Not very clearly. Most people would read over that sentence (I did at first, although I of course wouldn't dream of entering my real password into that site). It should at least be displayed in bold red.


This is appalling and inexcusable for a site who claims to help improve security and that claims to have in the team people such as "a foremost expert on information security awareness"[1]. So this cannot be attributed to ignorance.

[1] https://www.getsafeonline.org/about-us/


It was probably outsourced to accenture or similar who then paid the cheapest devs they could find in india.


Wow, their advice is terrible too: "86% Exceptional" http://www.getsafeonline.org/themes/passwrdcheck/results.htm...


XKCDs correct horse battery staple earns merely 40% ("Warning: Your passwords are weak and your digital life is at risk!")

http://www.getsafeonline.org/themes/passwrdcheck/results.htm...


When in fact it should earn a 0%, because it's in most common password dictionaries now?


I like the password checkers which just say, "This password is completely insecure, because you just gave it to a strange computer on the internet."


http://www.getsafeonline.org/themes/passwrdcheck/results.htm...

Capitalize the first letter of correct and battery. Then you get 100% :)


Change a '5' to a '6' and add a '1' and you get 100%

http://www.getsafeonline.org/themes/passwrdcheck/results.htm...


Password12345 gets 93%.


Pass#123 is "exceptional". It worries me that people are slow to accept the realities of the xkcd comic on pass phrases (http://xkcd.com/936/). We are training people to think they are secure with passwords that are ridiculously easy to brute force.


Considering how they deduct points for "bad practices", and how avoiding those "bad practices" actually makes for a smaller password space, I have half a mind to spend some time figuring out exactly how much smaller the password space is for a given length if you follow all of their advice.


Any password rules decrease the overall possibility space. The point is that they try to move your password away from the high-probability areas of that space that hackers try first.

It's like kicking someone out of apartment. Yes, you know for sure they aren't anywhere in that apartment, but it still makes it harder to locate them in the city with high probability.


That's not quite right. Assuming you were picking passwords randomly discarding ones that have repeat letters etc makes for a smaller password space, certainly. However that's not how most passwords are generated, especially among the people that need this advice most. If your password generation algorithm is 'think out a random string' and produces 'aabbbbdccdc' then your password space is tiny.

Those practices are meant to address the most common 'patterns' in human-generated passwords, therefore effectively enlarging the password space (any cracker has to enumerate more complicated patterns or brute-force, rather than the simple pattern that our brains would generate by defualt)


For each rule in isolation, that's true enough. But the point stands: once you add together all those good practices (repetitions, consecutive letters, multiple character sets), how much does that actually reduce the password space? I'm not saying that the space becomes tiny, I'm saying that it becomes smaller, and I'm not sure whether "smaller" is still acceptably large, and it's an assumption that's worth checking.


The cost in entropy for these restrictions isn't zero, but it's tiny and measurable.

As a conservative estimate, let's assume passwords are only chosen from a set of 84 printable ASCII characters and users never choose passwords longer than 10 characters. (If users are using characters outside this set or longer passwords, they'll have more choices than we're estimating.)

All combinations, including the null password yield 17700847248605297701 combinations, or 63.94 bits of entropy if a password is chosen truly randomly from this set.

Restrict them to passwords at least 7 characters long, and that drops to 17700846893074759680, about 1.9e-9 bits less, still above 63.94 bits.

Further add the restriction that no two adjacent characters are the same and that drops to 15894480881247564960, or 63.78 bits.

Further force the user to use one digit and that drops to 11477476711812418840, or 63.32 bits.

For the sake of my time, I'm going to get a bit sloppy and start over-estimating the cost of restrictions. Further force the user to have at least one upper-case and one lower-case letter and that drops to (more than) 10727550596265784840 passwords, or 63.22 bits.

So, all of these restrictions together cost less than 0.72 bits of entropy. That an easy price to pay for eliminating large classes of trivial passwords.


Thanks for doing my "homework" for me :). Interesting, I seriously expected the repetition and adjacency restrictions to add up to a much bigger cost, to be honest.


This seems like the right venue to let them know that you have been a victim: https://www.getsafeonline.org/share-your-story/


Hahahahaha. This is a total embarrassment and it is why we can't have nice things. There is always this for a decent alternative:

https://howsecureismypassword.net/


Password1234567890

It would take a desktop PC about A quadrillion years to crack your password [Tweet Result]


OK, but if you keep reading:

"Your password looks like it might just be a word and a few digits. This is a very common pattern and would be cracked very quickly."


'abcdefghij' would take 9 hours to crack?


Thankfully correcthorsebatterystaple takes a quintillion years. I'm safe.


I thought they did a bloom search over the top 1000 most common passwords or something, I guess if you feel very strongly about this you could contact the creator :)


abcdefghijklmnopqrstuvwxyz

46 quintillion years

score!


Page is gone now. Seems someone noticed and did the only right thing.


  password123; DROP TABLE PASSWORDS --
My password score is 502 Error: Bad Gateway. What did everyone else score?

In all seriousness, among the http, the GET param, and the laughable entropy estimates, I wouldn't be surprised if they threw in an SQL injection vuln, a buffer overflow, and a couple of XSS vulns as Easter eggs.


This is so wrong in some many levels.

1. They should not ask for any password first of all 2. They post the password to their server when they could have checked it on the client 3. The password is sent as GET meaning that it is in the URL and it will be recorded in your history and perhaps anything else that keeps log of the URLs you visit

100% fail


"Failure Your passwords are laughable which makes you an easy target for cyber criminals. You should disconnect your computer now or got to..."

Seriously this is wording on government site? I find it offending.


It is depressing that money is spent on that website rather than on curating a list of good password managers for all platforms and persuading people to move to those.

UK government does do some great IT stuff. This isn't one of those. UK gov also has some horrifically over-budget under-performing train wrecks of IT projects so I guess I should be glad that this isn't one of those.


    password1234
    50%: Sufficient
    
    a12345678910
    92%: Exceptional
So, they try to give you negative points for "sequential numbers" but you get more points for having numbers than you lose, so it's useless. As long as you have a 12-character string with at least one number and one letter, your password will probably pass.


Wow, “vwcsgwuqmhcmzlsfgdmbuvi” is laughable, 24%, while replacing the last two characters with “V:” is exceptional, 100%?


My initial thoughts are just why not do this client side using javascript? No need for the string to leave the client.


Not sure how this works, but if I were writing something that checks "goodness" of passwords, I'd want to check it against a large, sorted list of like the 100 million most common passwords (since almost anyone attackers would start with a dictionary attack, and 10-100 million passwords is decently quick to run against a weak key derivation function). Such a database would be huge, so you'd prefer to do that server-side.


Like dasmoth says, use a Bloom filter.

Or run the length and character checks in Javascript, then hash the password and send the hashed version for dictionary lookup.


Look at the list of things they check. It shows you how they calculate the score for the password. The actual scoring is in fact done in JavaScript, which you can see when you inspect the page.

They want the password on the server side purely for statistics or some other reason that has nothing to do with scoring how "secure" the password is.


They don't seem to do a dictionary check at all.


Bloom filter?


I think the best thing about this is that "Open, sesame" gives a green light, 87% and Exceptional status.


Yep, and they add the password to the url: https://www.getsafeonline.org/themes/passwrdcheck/results.ht...



http://www.getsafeonline.org/themes/passwrdcheck/results.htm...

I wouldn't trust this site at all with actual passwords.



Do they really subtract score for consecutive lowercase / uppercase letters or consecutive numbers? Disallowing that reduces the overall entropy.


They are also encouraging people to type their password into random sites, which is IMO the worst aspect of this.



And it's down again. After submitting a password I get redirected to the homepage.



Sort of like http://privatekeycheck.com/ in the worst possible way?


It would be even more fun if they also asked for your email address at the same time (for security, you know, to protect against viruses).


<cynical> Nice way for UKGov to harvest a load of passwords for their own use </cynical>


lol - looks like they are in the process of removing the password checker from the site!


It seems they heard us, the page is now 404.


Jesus wept....


wait, they actually encourage entering you password into random websites?

how in living fuck is that a clever idea?


It's gone. Somebody noticed.


how safe is this password really? and is it better if I add a goat?

Gets 100% safe


They clearly need more money.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: