Show HN: How Secure Is My Password

I&#x27;ve seen some dark satire on HN lately. What I see here is another neat implementation of an unconstructive idea, amusing for reflecting our flaws. We really should know better than to share or encourage sharing passwords with third parties. The same goes for CC details (&quot;enter your CC and see if it&#x27;s been stolen&quot;). The right place for a widget like this is on the signup or change password page itself.<p>You&#x27;ve put forward a little risk&#x2F;reward proposition where users are unable to properly assess the risk. People love to be rated, that part&#x27;s easy. You rely on them to take your word on the site&#x27;s affiliation, to not understand that you can collect passwords despite saying otherwise, or vary the site&#x27;s behavior mod N, or cross-match fingerprint:password with leaked&#x2F;purchased&#x2F;accumulated fingerprint:username data, and so on. They look at it and think, &#x27;looks legit&#x27;. It might well be, but the proposition is unfair and its unconstructive to condition users to accept this type of trade-off.

Why is something like &quot;alksjdlq&quot; or &quot;alskjdlakjv&quot; weak? Do brutal force attacks focus on any combination of characters? or combination of known words?<p>If the password above is not a word, or a combination of words, or something personal, and it&#x27;s long enough... how is it not a strong password?<p>Also, if you five away what a strong password consists of (case, length, characters, symbols) then doesn&#x27;t that make it weaker because you give bots&#x2F;attackers a pattern to follow?

Eh, I feel like this is pretty bland. It should incorporate a dictionary attack database. For example, &quot;password&quot; should be considered way weaker than any combination of letters. I would look at <a href="https:&#x2F;&#x2F;howsecureismypassword.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;howsecureismypassword.net&#x2F;</a> for inspiration.

<i>fhn4VBnJbeMBxx</i> is apparently less safe than <i>Password1234!</i><p>As is <i>keep peace there hello</i>, randomly generated according to the XKCD method.<p>Sorry, these things just can&#x27;t work reliably.

This seems to just be a mixture of length and other criteria like a number, upper and lowercase letters, and symbols. Even a 128 word password only gets a 6&#x2F;10. It should really score based on the entropy of the password.

This fails to consider long passphrases secure. Long passwords don&#x27;t need special characters, but this estimator is only happy once you use all &quot;character classes&quot;.

The scoring algo is pretty bad. You get 1 or 2 points for each characters classes and some points for length (at lengths 7, 13, 16 and 21).<p>&quot;AAaa11!!&quot; scores nicely using this method (one &quot;blip&quot; from a perfect green bar), but zxcvbn (from Dropbox) gives it a score of &quot;1&quot; with an estimated crack time of 13 minutes.

Ironically the site itself is insecure - the link goes here:<p><a href="https:&#x2F;&#x2F;howsecureismypassword.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;howsecureismypassword.io&#x2F;</a><p>But the SSL certificate is only valid for:<p><a href="https:&#x2F;&#x2F;www.howsecureismypassword.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.howsecureismypassword.io&#x2F;</a>

Step 1: provide service to rate password<p>Step 2: provide links to share password strength on social media<p>Step 3: watch social media to correlate username and password based on time<p>Step 4: ???<p>Step 5: Profit