1

Are web sites that do Password Strength/Entropy tests like for example

safe? Can I trust that they won't add my last password tested to a database of passwords?

Tobi Nary
  • 14,352
  • 8
  • 44
  • 58
Roberto Carlos
  • 23
  • 4
  • Besides your question, they are also utterly useless. See this question: https://security.stackexchange.com/questions/193092/password-entropy-varies-between-different-checks – Tom K. Jan 21 '19 at 12:24
  • IMHO you are not meant to insert your actual password there. The idea is that you can check whether a certain generic form yields weak or strong passwords. Obviously they don't really work for that to, but you are not supposed to insert password you are currently used, haved used or plan to use in any case. – Giacomo Alzetta Jan 21 '19 at 16:07

1 Answers1

5

Since you already came to the conclusion that it would be possible, it is safe to assume, other people might have had the same thought. It's also safe to assume, people might have had those thoughts with a different intention than you had.

So: Most likely there might be one site or more that actually do exactly what you would think they do. It's even worse than you think: A quick check of some of those sites shows that - besides their own JS - they include third party javascript e.g. for ad-placement and so on. So even if they do not log your passwords, a third party might decide to do so.

You can (if it is implemented purely in JS) read though the code and decide if it is "clean" or not. However this could change with every call you make to the site so I suggest not using them. By the way: at least http://www.passwordmeter.com/ does give you all the calculations in plain text. You can simply do it by hand or write a short script, that tests everything for you.

BTW: I just realized, that very site does not even use transport layer encryption. That's my facepalm of the day.

Tobi Nary
  • 14,352
  • 8
  • 44
  • 58
Ben
  • 2,024
  • 8
  • 17
  • 1
    Even for other sites that offer that possibility - like haveibeenpwned - actually entering passwords that are in use is not a great idea. Even if haveibeenpwned does have mandatory TLS. – Tobi Nary Jan 21 '19 at 12:29
  • 1
    @TobiNary More importantly haveibeenpwned does not send the whole password to the backend. It hashes it securely and only sends a prefix of the hash to the backend. The backend returns a list of hashes matching that prefix, which is generally relatively big, and the client side than sees if the exact match is present. It is explained in the site and looking at the HTTPS requests you can see that that's what it actually does. This said: any use in a business should really download the password DB and avoid anything online... – Giacomo Alzetta Jan 21 '19 at 16:10
  • @GiacomoAlzetta I know Troy Hunt is doing his best to make it as safe as possible, yet is remains a password being entered on a high profile website. Nonetheless, it would be best to refrain from doing that and using offline methods for both. HIBP does offer to download the hashes for offline search and the algorithms for entropy calculations are freely available as well. – Tobi Nary Jan 21 '19 at 16:14
  • Or for haveibeenpwned you can calculate the SHA1 of your password yourself, and submit the first five characters to the API directly if you don't want to use the website. I think that's what most of those businesses using the service would be doing. – Ben Jan 21 '19 at 20:46
  • No, businesses would not use a 3rd party tool for doing this. HIBP provides the whole archive of compromized passwords so corporations would download the files for offline use. Never online password strength checking. Never. – BlueWizard Jan 22 '19 at 14:37