I like the one site that grabs an MD5 hash of your password, and then you search for THAT MD5 hash.

If google finds it, it's gotta be a bad password ;)

The most secure password is one that you write down and can't remembr yourself.\

Just don't tape it onto your monitor.

ahoier

@LemonButt: Actually, you can drop the ")" and still get 100%. See my earlier post.

dkrice

According to this site, the most secure password you can have (100% rating) is 1234567890 when holding down the shift key: !@#$%^&*()

LemonButt

@KillDeer: Ok, I'm talking about the tech articles in general. The ones like ripping DVDs,running old DOS games, etc, are all good resources. Those posts about nuts and stuff, they pretty much fall under the "Fun Stuff / Neat Shit" category for me. But to actually suggest this site, and not have it be on April 1st, then all I can say is "wow".

nman

interesting....i have seen these before on signup pages for different websites. the system is obviously a bit flawed, but still fun and interesting to see how your favorite password does.

Ashley927

I guess we'll know what happened if Lifehacker starts publishing from a cabana in Costa Rica.

Maybe you guys can mooch Tim Ferriss's wifi. :-)

That_Bastid

April 1st already? Adam you prankster you! ;)

SirSmiley

Regardless of what people determined after the fact that this was posted it is a bad idea to send your password unencrypted over the net, ever.

the average user can't determine if this site is malicious either.

This post to Lifehacker should be "Don't use sites like this, ever".

robdew

Considering how [www.passwordmeter.com] is obscured to be unreadable, making verification of its behavior difficult, I wouldn't trust it.

And, its algorithm seems broken too: I put in 15 random letters/numbers (XZIRG7mAleNAUJA), and that's 52% ("good"). Tack on a "g", and now it's 30% ("weak"). Adding a character should not make a weaker password.

derobert

I think theres something wrong with it, I should have about a 60% but it drops to 0% after 12 characters and won't let you put in more than 16 characters, microsofts checker still takes the cake.

Swizzler121

Sheesh, y'all are a paranoid bunch. First off, it only takes a few seconds of snooping to see that there's no remote calls being made.

Secondly, even if they were ganking your password, what good would it do anyone? Seriously? They've got your IP and a password you might use for something somewhere. BFD.

This thing's algorithm is whack anyway. Honestly, if your password is 10+ characters and isn't something dead-simple (a la mypassword) then you're pretty much set.

Rob P.

I've been using the the Password Generator app on my "Ironkey" thumbdrive and in order to get a 100% scoring I had to move to at least a 10 integer password using all avilable characters. In testing the first password the generated to pass at 100% was T)*N[&%41f

DCGaymer

Nice to see passwords being scored by some web app, but can someone actually tell me what the score means? Does a 100% password score mean a 0% guess rate by hackers? If you can't deduce anything from the score, then it's just a meaningless onlinequiz-esque webapp and nothing more.

kureshii

[grc.com] gives some nice passwords... All the passwords (root, domain admin, and otherwise) at work score 100%.

acatzr800

@an_other: have you heard of AJAX before?

acatzr800

MY passwords exceed 16 characters (its near 21), the program dosent check beyond 16 chars.
If I cut short the password to 16 then it gives me 40%.
and if use 8 letters of my password it gives me 100%.

Mind u this is the same password cut short!!
How is that possible??!

ssuasw

At the bottom of the page their is the link called:
Download Password Meter Package
from where you can down the package and unzip
then then open with browser.
you don't have to type in your password to the website for security reason.
But I am also doubt with the algorithm of the evaluation of security.

ieuroc

Please tell me that's an early April Fools prank because some of the results of this are plain nonsense.

anticitizenone

I saw a few people mentioned Keepass - great password manager.
I work for PassPack, an *online* password manager.
You can generate your passwords, test their quality and store them safely, accessing them from anywhere - all in one go:

[passpack.wordpress.com]

Louise

LouiseVin

@nman: "lowering" You mean this article is shittier than the one about eating nuts where the writer says he likes them "whole or in pieces"?

KillDeer

Definition: brute force attack
A method of defeating a cryptographic scheme by trying a large number of possibilities; for example, exhaustively working through all possible keys in order to decrypt a message.

see [en.wikipedia.org]

Definition: Dictionary Attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching a large number of possibilities.

see [en.wikipedia.org]

In order to do a brute force attack, one has to go through 2^127, or 170141183460469231731687303715884105728 possible combinations on the average to crack an AES 128 bit cipher.

The dictionaries used in a dictionary attack are much smaller, but from a cracker's point of view, they leave a giant blind spot when it comes down to 'good' passwords. We're told to use first letters of phrases to come up with these phrases, but I'm willing to bet there are a lot of repeats. For example, a patriotic American might use 0scucBtde1. Out of 300 million Americans, there's a good chance this will repeat. Note: Crackers caught on a long time ago to using digits instead of letters.

I'm not just cynical, I'm outright paranoid, and with the possability of adding to a cracker's dictionary, I won't touch this.

Carnegie Mellum University has an excellent web page about choosing a good password:

[www.cs.cmu.edu]

and CERT has an excellent section on home computer security:

[www.cert.org]

Please check out these sites and surf safely.

shadocat

Indeed. And if there ever was a category "fumble!" on lifehacker, this thread would be the winning one.

Buzcatcher-Bis

portezbie
lol I also feel that this sounds like a terrible idea. I am starting a website that predicts your future based on your credit card info. I see debt in your future......

This is the winning comment in the thread.

heavylee-again

This kind of fails....

3141592653589793 apparently scores 0%

And a password like "blah56crap" becomes less secure if you add any extra letters onto the end...

Little bit of a fail tbh..

m0u53m4t

Wow, look! A password harvester. Remember, kids. Only input passwords you never intend to use!

perigee

These online sites are a great idea! I have another one: I'll setup my notebook with a USB card reader on a small table in front of our local savings bank: "We check the security of your credit card, banking card or similar!" Just insert your card and enter the pin! We promise that no data will be stored! If you are suspicious you can check that this PC is not connected to the internet on the backside of this PC (no cable visible!)! Then I'll go home and come back after a few hours. Looking at the amount of positive comments here I susprect that I will have a lot of data for a great long holiday on the cayman islands.

Matthyas

Hmm, to me a 100% strength password that nobody can remember without writing down still is less secure than a less strong password you can remember.

In my personal experience in IT risk management of a large company, if you make people remember passwords like &fsB7vC&ywmB69J (generated from a secure password generator, not used by me and scores 100%) or something, these passwords just end up on post-its beneath the keyboard (you would be surprised how many such post-its you find under keyboards).

xahmol

Got to agree my 10 character password is rated at 0 even though it is non-word per se.

symo

h567+()
Strong
Score: 73%

h567+()51265000
Very Weak
Score: 0%

sevenhabits

A few tests show that the scoring formula behind the evaluator is deeply flawed.

ab12cd34 : Good (54%)
ab12cd34aa : Weak (26%)

How on Earth can the latter password be weaker than the former ?

altherac

@Chef, with AJAX, such phishing sites doesn't need you to click any submit button, actually.

Buzcatcher-Bis

Ahahaha, April Fool's is tomorrow!

Josh*

The best kind of phising tool is the one that doesn't even pretend to look like your bank and still asks what your password is. :D

sam1am

Question: What exactly does the score mean? What is a 100%-strength password?

There is no password that is unbreakable.

Posco Grubb

huh. the password "A5bC1d3!*%)00000" is 0%... odd.

Temoto

@5h17h34d: It uses a script to determine password strength; no information is submitted. Otherwise, you'd have to press a 'submit' button or something before your results appeared, or it would have to be an applet to collect information.

Also, you can download the tester application for fully local password twiddling if you don't trust the web UI.

Chef

buuut. I could download the app and run it offline =D

illfatedpupulon

uh.... I'm sure as ever not going to place my passwords online to a 3rd party I dont know =p

illfatedpupulon

LMAO!

5h17h34d

@lm: Thanks for entering me with your current login password which scores 100%. w00t! w00t!

Ivan
Rezekne, Latvia

cronick

I got a 100% that I've actually memorized and it wasn't "randomly generated"!

Try and crack my mp5 hash bitches :P

GloStix

Just for the heck of it I tried "!@#$%^&*(" and got 100%.

dkrice

@That_Bastid: Maybe Adam should have said, "Toss your favorite high-security password into this tool-you may be surprised at how dumb you are."

BTW, I also highly recommend Keepass.

dkrice

Thinking about password strength a significant a factor not measure on the site, is the force random updates that are often required.

zolielo

My military grade password only pulled a 76%. Blah, I do not like the repeating a character and repeating the case, deductions.

zolielo

@johnhorneguitar: lol I am now readying everyones email!!

betogonza

My current login password scores 100%. w00t!

lm

crap, that was supposed to read as "http://lifehacker.com/373624/test-your-passwords-strength-with-the-password-meter" and "qwerty"

nman

ok, so both of these passwords get an 8%

[lifehacker.com]

and

qwerty

nman

Adam sez: Toss your favorite high-security password into this tool-you may be surprised at how you did.

I wouldn't be surprised to wind up in deep shit after typing my passwords into a site that uses an anonymization service to hide its own identity.
[who.godaddy.com]

Adam, I know it's Sunday and all, but ...really!

That_Bastid

lol I also feel that this sounds like a terrible idea. I am starting a website that predicts your future based on your credit card info. I see debt in your future......

portezbie

@dotancohen: I so agree with you. Before I even got to the comments I thought: "OK, enter my super duper, never fail me passwords into an internet form. I might as well go to one of those Bank of America sites that say they are disabling access to my account due to abnormal activity noticed (I don't have an account at BOA) and enter my passwords here to "fix it" too.

To say the least it seems a little dangerous. Maybe a better idea is to do a real basic guide on making strong passwords, and some links to some random password generators. Just a thought.

John_T

My 16 character password got a 62 after 30 points in deductions from repeat characters and too long a string of lower-case letters. Gah? Seems kinda odd.

I did have a version oat one point that was a local JAR file -- it must use the same algorithm, as it gave me a 92. No way that is coincidence.

tigerhawkvok

Ya gotta be foolish to go to an unknown/untrusted source and happily give them your passwords.

Consider yourselves owned!

5h17h34d

it wouldn't even let me finish typing my 21 letter password that I use for my email, it just gave me 100%

FRIEDjellyWALNUT

lol our network master admin password got a 23% while my everything password got a 98%. I could have sworn with the combo of symbols numbers and letters our master password would have scored much better.

Falconfire

This is definitely better than the microsoft one that was published earlier. I recommend KeePass as well.

shk

Woot, PayPal password is 100%.

Dooga

Did you read the comments on the original article that said how big of a POS that program was? Either Lifehacker is severly lowering its standards, or you just forgot to check out the program before link it.

nman

Just use keepass.

johnhorneguitar

this is stupid, a short password can have a strength of 50%, but add a few letters and it can to down to 0%. Thats now how password crackers work at all.

theRIAA

You're not "giving" the site anything. Like an_other said above. It's all done locally, you're not submitting any information online.

KillDeer

On the one hand, it appears to be JavaScript and runs (as mentioned in an earlier comment) on the local machine. On the other hand, getting regular users in the habit of entering all of their passwords into a test site seems a bit scary; not all of us run in a separate isolated VMWare window, disconnect our connection or use security/debugging tools to watch how an application works. Caveat lector. Trust but verify. The truth is out there. ;)

amarand

Wow! My regular 13 character password got 100%, yet my old password which was 16 chachers only got 89.

rkninc

If you visit the site and disconnect from the internet the site will still rate your password, so whatever the method of checking, it is done on your local machine and not over the internet.

Of course, if you're paranoid clear your cookies before reconnecting to the net or just don't use the site.

an_other

68%. Not too shabby.

11hawkinst

I'm a bit warry about giving me passwords to a site that simply wants to tell me how secure they are. I might as well give them my ssh login name and IP address as well.

dotancohen

Free Keepass ([keepass.info]) has something similar built-in, even if you don't use it to store any passwords it makes more sense to me to grab the portable version and keep the tested passwords private than visit a site and type them in.

brundle

My 15 character password scored 100% and dropped to 0% when I added two numbers to the end.

I understand that if the two numbers added to the end are repeated then my rating will drop, but to drop from 100% to 0% seems ridiculous.

an_other

Am I the only one who thinks it's maybe not such a good idea to go online and start typing in your passwords?

johnhorneguitar

Strange how when i type in my 16 character password, it says its strong at about 10 characters, then when i type in more it starts getting weaker. I don't quite agree with that logic. Even if there are repeat letters, it shouldn't make it go down to 0% at 14 characters. Keep in mind i went to a random password generator to make this password.

Iuvat

@KillDeer: Ah I understand it now. I didnt realize it's deducting points for repeating a charactr, and repeating the case. Odd but I guess it's valid.

KillDeer

52% on my 9 character pass but I can get a 100% if I were to substitute things ike a=4 s=5 o=()

Darkmatter91

My regular passwords ended up being 30%.

Also if you simply type lower case characters, after eight your score drops to 0% but at five lower case characters it's 7%. Doesnt seem right at all.

KillDeer

I got 66% with my 9-characters password. Not too bad.

To get a higher rating you apparently need symbols in your password? Im not sure most password-forms even support that.

WarCow