Jaervosz' burrow

Coming Underground

2010-01-29 14:51, by jaervosz, Categories: General, Universe/English, Opensource

I just stumbled across an article in the Danish newspaper Politiken, which give some recommendations about how to create strong passwords, which is all fine. However it also recommends that you test your password with passwordmeter.com (I actually expected something like this before clicking on the article).

At least one good password practice is to not disclose your password to third parties and especially a site like passwordmeter.com which you know nothing about (wouldn't it just be a genious way to collect passwords and origin IP adresses?).

So first thing is to make a whois lookup on the domain:

Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

I didn't know who Domains by Proxy, Inc are, but just the name certainly make some bells toll. It's definately not a site I want to use to test passwords!

Reports on the web range from describing it as a normal service to a hideout for spammers. Why on earth would any legitimate business want to hide their identity and especially if you want users to type in all of their passwords?

Update: As some of the comments pointed out it actually does everything client side (at least with Konqueror and Firefox), however for the average user it's still bad practice to type in their password on any third party site.

5 comments » • Send a trackback »

Trackback address for this post

5 comments

Comment from: Francesco R. [Visitor]

Thank, this made me laugh

2010-01-29 @ 15:19

Comment from: Brian Harring [Visitor]

Domains By Proxy are either a partner or a subsidiary of godaddy- primarily useful if you don't feel like publishing contact info through whois.

Using a proxy for privacy of the owner isn't that uncommon- case in point, pkgcore.org I own by I sure as hell don't feel like publishing my address/phone #, thus usage of domainbyproxy.

As for the site... yeah, that seems like the perfect way to build up and maintain a dictionary for brute force attacks.

2010-01-29 @ 17:21

Comment from: tuX [Visitor]

The page states it's GPL, just download the zip file, extract it on your PC, and use it from here.
(maybe unplugging the network if you want).

You can change pwd_meter_min.js into pwd_meter.js to use the clean javascript file and not the one compressed for size, because it's easier to read.

In the end, you could code the algorithm yourself too, since it's really simple.

2010-01-29 @ 17:44

Comment from: Ramin [Visitor]

I'm not sure if the password is actually transmitted but the algorithm is crap.
For example the password:
Ab1.!c
gives a score of 64% and a "Strong" complexity while the password:
AAbb11..!!cc
achieves a score of 0% and a "very weak" complexity.

So either the algorithm is useless or I am missing something. Which password do you consider more complex?

2010-01-29 @ 18:01

Comment from: Ramin [Visitor]

Even if you use it seems crappy.

For example the password:
Ab1.!c
has a score of 64% and a "Strong" complexity while the password:
AAbb11..!!cc
achieves a score of 0% and a "very weak" complexity.

So either the algorithm is useless or I am missing something. Which password do you consider more complex?

2010-01-29 @ 18:04

Comment feed for this post