[LINK] Would you trust a password tester??

Roger Clarke Roger.Clarke at xamax.com.au
Tue Jul 26 13:02:54 AEST 2011 

I'm refining the password notes I sent the other day, reflecting the 
comments made by linkers and others as I go.  (Thanks for that!).

I'm stalled on the 'how to test your password's strength' section.

Like freebie virus-protection tools, freebee 'test your passwords 
here' services are a wonderful opportunity for self-service phishing.

(We need a fish-related metaphor for volunteering your password, or 
trapping yourself - maybe swimming straight into the shark's mouth 
and saving him the effort of chasing you?  Mmmm, a bit long-winded 
...).

My draft currently says:

"Do not use a web-site that offers to check the strength of your 
password unless you are confident that it is reliable.  For example, 
sites like passwordmeter.com, testyourpassword.com and 
howsecureismypassword.net may be genuinely helpful, but on the other 
hand they might be trying to capture your passwords".

But how does one say something positive??

Option 1:
"You may prefer to rely on a 'brandname' web-site".

I looked at eff.org, epic.org, privacyrights.org and privacy.org, and 
none seems to offer any, nor endorse any.  The best I've come up with 
is:
http://net.educause.edu/ir/library/html/edu0396/PWtest.asp
https://www.microsoft.com/security/pc-security/password-checker.aspx

Option 2:
"You should rely on your service-provider to provide a test when you 
create a new password".

The logic of that is that you're exposed to second-party fraud in any 
case, so if you're going to be gypped it might as well be by them ...

Option 3:
"You should look for one that runs entirely within your browser 
rather than one that sends your password somewhere else".

But (a) it's not easy to be sure that there's no leakage back to 
base, (b) it's hard to explain, because at the very least the 
'javascript' word rears its ugly head, and (c) it's hard for most 
punters to grasp.


As ever, the Link Institute's thoughts would be valued!


-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list