Facebook Plunges Again
Tumblr 101: Tips And Tricks To Get Started
Microsoft Password Checker: 1234 is not a secure password, who knew?
If you want to avoid being yet another bad movie statistic, you might want to check out Microsoft's Password Checker web site before choosing your next password. As you type characters into the box, Microsoft will let you know just what a bad idea your chosen combination of characters is.
The secret isn't just to choose a long stream of characters. You also want to mix up numbers, letters, and other characters. In fact, we found that you could in 52 numbers and still get a weak score. Microsoft recommends using at least 8 characters, and preferably 14 or more, with a good mix of letters, numbers and symbols.
[via Web Worker Daily]
Comments
10
Subscribe to commentsalienvenomMar 11th 2008 8:54AM
Yeah, it's flawed. "Password" (note the capitol P) is rated medium. Yet a password of "abcdefghijklmnopqrstuvwxyz" is rated low.
keevesMar 11th 2008 8:49AM
your example of abcdefghijklmnopqrstuvwxyz, should defiantly be rated low, as it is probably quite common!
EthanMar 11th 2008 8:51AM
More notably askjdbaksjdbaskdggmncxvdjf is a weak password.
KoanMar 11th 2008 8:54AM
That's because if your password was to be brute forced, many brute forcing programs start with a lower case alphabet. Many people don't use uppercase letters in their passwords so a standard lowercase attack works all too often.
However, "abcdefghijklmnopqrstuvwxyz" would take a long time to brute force.
Paul RMar 11th 2008 8:51AM
I only did a quick check of the code but it appears to send the password to MS' server over http instead of https. I guess if you get a good score you could have considered it a safe password prior to sending it through 20 servers on the internet in cleartext.
alienvenomMar 11th 2008 8:52AM
Dude, that's awesome.
KaiMar 11th 2008 8:58AM
Ahem... I hope you do realize that the code is written in Javascript... that is, the code that determines whether your password is secure or not is run in the web browser, on the client. The password is never sent through the Internet, so it doesn't matter whether the page is loaded through HTTP or HTTPS.
Unless of course, the page is somehow spoofed (DNS hijacking?) with one that sends the password. So maybe HTTPS is still better (because you can verify the certificate, and check that the page is really from Microsoft). And if you desire that, just change the http:// in the link to the page above to https://
EnOneMar 11th 2008 11:30AM
The only way to get a 'Best' rating is to use a 14+ character password using lower case, capitols, numbers and symbols.
I have difficulty with the Idea of memorizing multiple passwords like this
Steve GMar 11th 2008 6:18PM
Then you need RoboForm. Have all the complex passwords you like and you don't have to remember them!
eSeamusMar 15th 2008 5:47AM
More problematic is that a person's full name and social security number is considered to be the best in terms of security.