17

Is it safe to enter my real passwords to test them?

I mean, are the entered passwords being recorded/transmitted to someone else?

Jafowun
  • 173
  • 1
  • 1
  • 4
  • 9
    Visit the website, disable network connection, type in password, close website, enable network connection. – styfle Jul 23 '12 at 00:56
  • 1
    In addition to the other comment, you can also change the password. Like if the real one is aA1$, you can enter bB2# instead, and it will give the same result. – Luc Aug 27 '12 at 16:49
  • 14
    This site declares that 'BillClinton' would take 59 years to crack on a desktop PC, so, regardless of whether the site is safe or not, I advise not to put too much confidence in whatever it says. Mathematically, the strength of a password depends on _the process_ which generated the password, and cannot be measured on the password alone. – Thomas Pornin Aug 27 '12 at 22:36
  • Just do exactly what @styfle suggests and you'll be safe. Never input any password in a "password checker" site without disabling your connection first to be on the safe side. – Mahn Sep 07 '12 at 03:47
  • 4
    @Mahn: Technically, the password checker could still e.g. save your password in a cookie and steal it when you next visit the site. – Ilmari Karonen Sep 07 '12 at 13:14
  • 2
    @IlmariKaronen Then I should update my first comment to say visit the website *in private browsing mode* as the first step. – styfle Sep 07 '12 at 17:32
  • "Mathematically, the strength of a password depends on the process which generated the password, and cannot be measured on the password alone" - @ThomasPornin can you justify that? It seems to make no sense to me - but I am always willing to learn :-) – Mawg says reinstate Monica Feb 03 '17 at 08:39

6 Answers6

32

It's very difficult to know for sure.

It appears that this website uses a client-side script to check the password, without sending anything to the server. As such it seems it's safe to use.

However, knowing that requires a certain amount of technical knowledge. At least, it requires to know how to check what a script is doing using Firebug or developer tools.

Here there doesn't seem to be any network activity, but:

  • A later version of this service could change its script without you noticing.
  • There could be awkward conditions that cause it to send a password, it could be a bug or a "feature" whereby it would record a league table of the hardest passwords it has found (that would be a stupid idea from an honest site, of course).
  • This website doesn't use HTTPS, so a MITM attacker could potentially replace this script to make it send the data somewhere (perhaps less likely, but possible in principle).

In general, it's a bad idea to use this sort of service precisely because it's very difficult to know what it's doing in the general case (especially for non technical users).

selfthinker
  • 285
  • 1
  • 6
Bruno
  • 10,875
  • 1
  • 39
  • 61
  • Can anyone find the source code? If I "view source" on this, I see a minified JS file, but that doesn't seem to be the script. How are they doing this on the client side? Fiddler doesn't even report back any files loading. Very strange. –  Sep 07 '12 at 01:55
  • right now, the source is available ( https://howsecureismypassword.net/assets/js/app.min.js ) but its partly minified – Florian Fida Jun 28 '14 at 21:45
  • To update, this site now uses https – ClydeTheGhost Sep 19 '18 at 21:22
7

"safe" is a binary value. Is it safe to play Russian Roulette? The answer has to be risk based.
Would I test the password I use to log into CNN.com? Sure, all that password protects is my preferences on CNN. I don't care if it is broken.

Would I put in my banking password? No, absolutely not.

What value does it provide? What risk does it involve?

I'd argue it provides very little value; the mechanics of calculating a secure password are very well known, and don't require a website to perform. What risk does it involve? Some risk - but several other commenters have identified ways to control/mitigate/reduce that risk.

Is the risk/value tradeoff acceptable? That's entirely a subjective determination.

MCW
  • 2,572
  • 2
  • 16
  • 26
6

Ha, this question has been asked about quadrillion nonagintillion times but in regards to rainbow tables. But in this case, the answer is that it is safe to enter password because it's not transmitted to the another site.

It does only client-side calculations in javascript, so it doesnt transfer any passwords outside the browser to perform server-side storage or something like this.

However if the website is hacked, you will be out of luck.

The website should be really identified with valid cert as well it should publish how they protect their server, because the password website is very likely to be hacked this way.

As this one looks running some sort of LAMP, might be vulnerable to file overwrite or sql injection statistically. It should be really static page, and from what it looks, will eventually get hacked and modified with the password logger.

Andrew Smith
  • 1
  • 1
  • 6
  • 20
  • 22
    The question is: should you be trusting some random stranger on the Internet about the security of where you're typing your password? How do you know he didn't write that site and wants to lull you into sending him all of your passwords? – bahamat Jul 22 '12 at 19:21
  • 3
    This answer is misleading that it is safe if you only read the first paragraph. (we know people hate to read) – Eric Labashosky Aug 26 '12 at 13:59
  • 2
    The maintainer of the page could also decide at any time to change the code to send him your passwords. – Stephen Touset Apr 11 '13 at 18:22
3

it's a small thing, and the safety of the solution is not compromised, but bear in mind that http://howsecureismypassword.net/ contains 5 different cookie sharing websites (as reported by Collusion), so the tracker networks have recorded that fact that you have been there.

Less security minded users may then fall for promoted security products on other websites that share these tracker networks.

i.e. why you'll now find various password vault programs being advertised to you on websites for a few days!

  1. Google Analytics
  2. Google Syndication
  3. Double Click
  4. Google APIs
  5. Google User Content
Callum Wilson
  • 2,543
  • 11
  • 16
  • 1
    While this is ~3 years old, I'd like to update people to the fact there are now 26 cookies. 6 from ttps://howsecureismypassword.net/ and then 20 from other sources such as Google, Facebook and Twitter. – BaeFell Feb 25 '15 at 12:48
2

The site analyzes passwords based on the combination of letters, numbers and symbols etc. You do not need to enter your specific password. I.E. your password is ABc45* well enter CDz64# and check, it will tell you how safe that combination is.

jashead
  • 21
  • 1
-5

It's safe.

You're not providing full credentials (it doesn't ask for your user ID that goes with the password you're checking) so even if it did transmit the password anyone who views this data would have no idea whose password it is.

SSS
  • 1
  • 2
    You are providing your IP address, which can make very productive cross-references. Buy ads on a few sites and you'll get plenty of site/username/IP correlations. Another lower-footprint but less efficient technique would be to monitor newly activated accounts on various sites. – Gilles 'SO- stop being evil' Dec 13 '12 at 17:19
  • 3
    Just because it doesn't have your username doesn't mean it's "safe". It could be adding every password submitted to a dictionary that could be used for brute forcing at a later date. Once your password is in a dictionary it is much less secure. It is best not to ever reveal a password anywhere except to the service that requires it. – Grezzo Dec 13 '12 at 23:31