Protect your users by showing them how weak they are - Security & Cryptography

Users browsing this thread: 1 Guest(s)
venam
Administrators
Hello *nixers,
Passwords are becoming less and less secure.
One solution is to show the end user how weak his password is.
http://www.geekwisdom.com/dyn/passwdmeter
However, for the average user, a 8 chars password is already the limit of his/her 8bits memory can support.

You can also use RSA keys, but it's not the everyday user that will use that.
venam
Administrators
Sorry, 8 chars. I'll EDIT that right away.
Mafia
Long time nixers
I got a score of 34 I think, and I have caps, special chars, and it's fairly long lol.
D9u
Long time nixers
Great idea!
Get people to enter their password(s) into your DB by scoring how "secure" their password(s) is/are!

Then, harvest DB to populate your word list(s)
BSD is what you get when a bunch of Unix hackers sit down to try to port a Unix system to the PC.
Linux is what you get when a bunch of PC hackers sit down and try to write a Unix system for the PC.
Jayro
Long time nixers
(27-02-2013, 06:52 PM)NeoTerra Wrote:
(27-02-2013, 05:19 PM)D9u Wrote: Great idea!
Get people to enter their password(s) into your DB by scoring how "secure" their password(s) is/are!

Then, harvest DB to populate your word list(s)

It's just a text box, there isn't anything being submitted. Though it's likely possible, I doubt that venam would link a site that harvests passwords.

Nothing needs to be submitted. It could store the password the same way it is using Ajax to turn it into a variable and run it through all of the security tests. It may not get posted to the server right away, but could probably be placed in a cookie and read later.
venam
Administrators
D9u is seeing conspiracies everywhere.
Use duckduckgo, you'll be safer.
Mafia
Long time nixers
(28-02-2013, 03:33 AM)venam Wrote: D9u is seeing conspiracies everywhere.
Use duckduckgo, you'll be safer.

+1
Jayro
Long time nixers
(27-02-2013, 11:57 PM)NeoTerra Wrote:
(27-02-2013, 11:33 PM)Jayro Wrote: Nothing needs to be submitted. It could store the password the same way it is using Ajax to turn it into a variable and run it through all of the security tests. It may not get posted to the server right away, but could probably be placed in a cookie and read later.

Looking at the script, there isn't anything there that seems suspicious xD

Well it could easily be modified to log passwords. :)
D9u
Long time nixers
My apologies. I didn't mean to infer that Venam was posting a link to a malicious site.
BSD is what you get when a bunch of Unix hackers sit down to try to port a Unix system to the PC.
Linux is what you get when a bunch of PC hackers sit down and try to write a Unix system for the PC.
FreeBSD
Long time nixers
Hey i scored a 39 ! What did everyone else get?
I do Byte
venam
Administrators
I scored 34 but with passwords that doesn't have special chars, with special chars it goes around 40.
engraze
Members
44 points here.
pvtmert
Members
i thought exact same thing... yay get free passwords, worldlist such haker wow :)

i amazed my password (not exact one, moved numbers 1 more with wrap-around exchanged - and _) length of 20 can be hit 50... but it feels 12 or something when you get used to it...
shtols
Long time nixers
I used a made-up password that follows my usual password-scheme closely. I scored 53, mainly because of the length.
z3bra
Grey Hair Nixers
"correct horse battery staple"

19 points: weak
BANGARANG, MOTHERFUCKER
sodaphish
Long time nixers
I wrote an article in Linux Journal about using two-factor authentication in Linux. Its a good article (iidssms) http://www.linuxjournal.com/article/8338 it still applies, from what I know.
xero
Long time nixers
so tell me,
did anyone view the source to make sure they're not logging passwords as you test them? they dont appear to be (http://www.geekwisdom.com/js/passwordmeter.js) but i'm just curious if anyone even bothered to look before typing. this could have been an awesome bait and switch idea!
z3bra
Grey Hair Nixers
There are a lot of password tester online. I never test my own password in them, just in case... As I read once regarded this kind of thread :

Somebody on the internet Wrote:So you want me to send my password to some random website, to see how good I am at security ?
shtols
Long time nixers
^ That's why:
Quote:I used a made-up password that follows my usual password-scheme closely. I scored 53, mainly because of the length.
sodaphish
Long time nixers
haystack password theory, ftw!

the basic crux of it comes down to one of entropy. SO, is the password "P@ssw0rd" better or worse than ".....password....."? The later is *exponentially* stronger, yet infinitely easier to remember. Check out GRC's write-up on "haystacks" at https://www.grc.com/haystack.htm
shtols
Long time nixers
Related to "P@ssw0rd" I'll just leave this here.