Have you been hacked?

RG2015

I have just looked at a couple of password strength checking sites, passwordmonster.com and bitwarden.com.

One password I tried on each site got the following results.

Password monster

Very Strong

8 characters containing: 

Lower case, upper case, numbers

Time to crack your password:

7 years

Review: Fantastic, using that password makes you as secure as Fort Knox.

Bitwarden

Your password strength:

weak

Estimated time to crack:

3 hours

PS: As per the previous post, common sense is the most vital component, along with prudent research and taking on board all comments on sites like this.

km1500

So what was the password you tried?

RG2015

km1500 said:

So what was the password you tried?

Ha!

It was a weak password as identified in my post without any symbols.

8 characters containing: 

Lower case, upper case, numbers

It just goes to show that you need to try at least 2 probably 3 or 4 separate sources for any information website.

Gillor

MEM62 said:

Antivirus will never trump common sense as an effective tool for keeping data safe.  

The trouble with common sense is that it isn't that common.

km1500

"Lower case, upper case, numbers"

That does not help.

Were the letters a word or words, or random.

ie was it something like Bicycle9 or something like eRgv8wlf

both of which are 8 characters containing lower case, upper case, numbers

debitcardmayhem

km1500 said:

"Lower case, upper case, numbers"

That does not help.

Were the letters a word or words, or random.

ie was it something like Bicycle9 or something like eRgv8wlf

both of which are 8 characters containing lower case, upper case, numbers

Or perhaps like Merdearrive1 , ok it’s more than 8 but it is not English , but dictionary words . I.e. essaitcheyetea happens , profanity AI doesn’t like the english 1 for i in sh.t

RG2015

km1500 said:

"Lower case, upper case, numbers"

That does not help.

Were the letters a word or words, or random.

ie was it something like Bicycle9 or something like eRgv8wlf

both of which are 8 characters containing lower case, upper case, numbers

Surely two techie websites purporting to measure the strength of a password should not give such dramatically different results for the same password.

1. Weak - Can be cracked in 3 hours

2. Very Strong - Time to crack your password: 7 years

Review: Fantastic, using that password makes you as secure as Fort Knox.

I do not wish to divulge the password for personal reasons but I have chosen a similar one which actually gives 12 years on password monster.

GSP300kw

km1500

yes that is not bad as there are no 'words' as such. My only comment is that 300kw is a valid expression and as such would be better replaced by 3w0k0 for example.

RG2015

km1500 said:

yes that is not bad as there are no 'words' as such. My only comment is that 300kw is a valid expression and as such would be better replaced by 3w0k0 for example.

You have still not acknowledged or commented upon the massive discrepancy between the two websites.

Surely this should stand as a warning to anyone using a password strength checker.


PS: For what it's worth, I have no intention of ever using a password described as weak on a password checking site. 

masonic

RG2015 said:

Surely two techie websites purporting to measure the strength of a password should not give such dramatically different results for the same password.

It's not really that surprising. Password "strength" is a very subjective term, as it's entirely dependent on the way in which someone might go about cracking it. Something like 18atcskd2w might on the face of it not look too bad, but it happens to be on a list of the 25 most common passwords (based on 25 million leaked passwords in 2016). It's therefore likely to be tried in practice long before a traditional brute force (starting at with all the 1 character passwords, then moving on to 2, 3, 4 etc in order) would see it tried. In this context, a password is strong if it doesn't appear in any of the top password lists (of which there are some as long as 1,000,000 entries), and is resistant to a traditional brute force.

There is also a question of when the strength meter was calibrated. The typical computing power available to crack passwords has been on a sharp increase, in part due to similar computations being used for cryptocurrency mining. What was considered strong a decade ago might not be today.

A third consideration is links to personal information. No password meter is going to help with that. The password Dragons' Den 2023 would be considered strong by most, as none of them would take into consideration that you'd plastered your facebook page with content related to your appearance on the TV show this year.

The first consideration when choosing a password is how strong it needs to be. Nobody is panicking because their debit card is only protected by a four digit numeric PIN. Whereas if you've uploaded all of your sensitive data to the cloud using an account protected only by this password, the risk is much higher (it would be unwise to actually do this). In scenarios where strength is important, it should be measured in terms of both uniqueness and complexity.