Show HN: How Secure Is My Password (opens in new tab)

(howsecureismypassword.io)

6 pointsazazqadir7y ago12 comments

12 comments

I've seen some dark satire on HN lately. What I see here is another neat implementation of an unconstructive idea, amusing for reflecting our flaws. We really should know better than to share or encourage sharing passwords with third parties. The same goes for CC details ("enter your CC and see if it's been stolen"). The right place for a widget like this is on the signup or change password page itself.

You've put forward a little risk/reward proposition where users are unable to properly assess the risk. People love to be rated, that part's easy. You rely on them to take your word on the site's affiliation, to not understand that you can collect passwords despite saying otherwise, or vary the site's behavior mod N, or cross-match fingerprint:password with leaked/purchased/accumulated fingerprint:username data, and so on. They look at it and think, 'looks legit'. It might well be, but the proposition is unfair and its unconstructive to condition users to accept this type of trade-off.

SanderSantema7y ago

Just to add to your comment:

A safe way to rate your password on MacOS is to use the Keychain Access app. Generate a new password by pressing cmd-n and than fill in your current password or a new password you'd like to use. It even includes a function to automatically generate passwords, automatically generating passwords online isn't something I'd like to do either. I either make them up from random text, which I see online & offline, or I use the Keychain Access app.

Besides the native Keychain Access app all other decent third party password managers include a way to automatically generate safe passwords. This makes online tools redundant, unless they've been made with another purpose in mind like practicing coding or possibly malicious intents.

ibdf7y ago

Why is something like "alksjdlq" or "alskjdlakjv" weak? Do brutal force attacks focus on any combination of characters? or combination of known words?

If the password above is not a word, or a combination of words, or something personal, and it's long enough... how is it not a strong password?

Also, if you five away what a strong password consists of (case, length, characters, symbols) then doesn't that make it weaker because you give bots/attackers a pattern to follow?

strkek7y ago

> Also, if you five away what a strong password consists of (case, length, characters, symbols) then doesn't that make it weaker because you give bots/attackers a pattern to follow?

I don't think it changes anything at all. Attackers won't ignore "dolphins" just because a meter says it's weak.

Unless it's an actual limitation of the site where you're signing up, in which case the culprit for the reduced search space would be the website for such password limitations, not because the password strength meter.

astro_robot7y ago

Eh, I feel like this is pretty bland. It should incorporate a dictionary attack database. For example, "password" should be considered way weaker than any combination of letters. I would look at https://howsecureismypassword.net/ for inspiration.

kbirkeland7y ago

Dropbox's zxcvbn[1] seems to do a good job of this along with detecting sequences and keyboard patterns.

[1] https://github.com/dropbox/zxcvbn

detaro7y ago

fhn4VBnJbeMBxx is apparently less safe than Password1234!

As is keep peace there hello, randomly generated according to the XKCD method.

Sorry, these things just can't work reliably.

teddyfrozevelt7y ago

This seems to just be a mixture of length and other criteria like a number, upper and lowercase letters, and symbols. Even a 128 word password only gets a 6/10. It should really score based on the entropy of the password.

vardump7y ago

This fails to consider long passphrases secure. Long passwords don't need special characters, but this estimator is only happy once you use all "character classes".

JakDrako7y ago

The scoring algo is pretty bad. You get 1 or 2 points for each characters classes and some points for length (at lengths 7, 13, 16 and 21).

"AAaa11!!" scores nicely using this method (one "blip" from a perfect green bar), but zxcvbn (from Dropbox) gives it a score of "1" with an estimated crack time of 13 minutes.

stevekemp7y ago

Ironically the site itself is insecure - the link goes here:

https://howsecureismypassword.io/

But the SSL certificate is only valid for:

https://www.howsecureismypassword.io/

xori7y ago

Step 1: provide service to rate password

Step 2: provide links to share password strength on social media

Step 3: watch social media to correlate username and password based on time

Step 4: ???

Step 5: Profit

j / k navigate · click thread line to collapse