Filed under: Internet, Security, Microsoft
Microsoft Password Checker: 1234 is not a secure password, who knew?
If you want to avoid being yet another bad movie statistic, you might want to check out Microsoft's Password Checker web site before choosing your next password. As you type characters into the box, Microsoft will let you know just what a bad idea your chosen combination of characters is.
The secret isn't just to choose a long stream of characters. You also want to mix up numbers, letters, and other characters. In fact, we found that you could in 52 numbers and still get a weak score. Microsoft recommends using at least 8 characters, and preferably 14 or more, with a good mix of letters, numbers and symbols.
[via Web Worker Daily]
Reader Comments (Page 1 of 1)
Paul R said 8:51AM on 3-11-2008
I only did a quick check of the code but it appears to send the password to MS' server over http instead of https. I guess if you get a good score you could have considered it a safe password prior to sending it through 20 servers on the internet in cleartext.
Reply
alienvenom said 8:52AM on 3-11-2008
Dude, that's awesome.
Kai said 8:58AM on 3-11-2008
Ahem... I hope you do realize that the code is written in Javascript... that is, the code that determines whether your password is secure or not is run in the web browser, on the client. The password is never sent through the Internet, so it doesn't matter whether the page is loaded through HTTP or HTTPS.
Unless of course, the page is somehow spoofed (DNS hijacking?) with one that sends the password. So maybe HTTPS is still better (because you can verify the certificate, and check that the page is really from Microsoft). And if you desire that, just change the http:// in the link to the page above to https://
alienvenom said 8:54AM on 3-11-2008
Yeah, it's flawed. "Password" (note the capitol P) is rated medium. Yet a password of "abcdefghijklmnopqrstuvwxyz" is rated low.
Reply
keeves said 8:49AM on 3-11-2008
your example of abcdefghijklmnopqrstuvwxyz, should defiantly be rated low, as it is probably quite common!
Ethan said 8:51AM on 3-11-2008
More notably askjdbaksjdbaskdggmncxvdjf is a weak password.
Koan said 8:54AM on 3-11-2008
That's because if your password was to be brute forced, many brute forcing programs start with a lower case alphabet. Many people don't use uppercase letters in their passwords so a standard lowercase attack works all too often.
However, "abcdefghijklmnopqrstuvwxyz" would take a long time to brute force.
EnOne said 11:30AM on 3-11-2008
The only way to get a 'Best' rating is to use a 14+ character password using lower case, capitols, numbers and symbols.
I have difficulty with the Idea of memorizing multiple passwords like this
Reply
Steve G said 6:18PM on 3-11-2008
Then you need RoboForm. Have all the complex passwords you like and you don't have to remember them!
eSeamus said 5:47AM on 3-15-2008
More problematic is that a person's full name and social security number is considered to be the best in terms of security.
Reply