Wednesday, September 14, 2011

A note of caution: Password Checking Sites.

  Recently, several people have sent me links to check the strength of my password like this: https://www.grc.com/haystack.htm. There is a saying today that if you are not paying for a product, you are the product. Since I haven't seen any independent organization that has audited the code of these sites to prove that they are not also collecting passwords, we must trust that they do not keep copies the entered passwords or their hashes. Either these sites all have a large amount of altruism, or they are creating the most precise rainbow tables [1] available on the market.  There's nothing like doing statistical analysis on a general rainbow table with real passwords to hone its accuracy. Placing blind trust in a 3rd party with one's passwords is never a good idea. I don't think any bank representative would recommend typing one's account password into an un-audited website to check its strength.
  If you run one of these sites and have had such an audit, please let send me a link to the audit and a link to the organization that did the audit. I will include them here.


[1] Rainbow tables are conveniently structured databases of known password information used for efficiently cracking passwords. http://en.wikipedia.org/wiki/Rainbow_table


keywords: hacking, cracking, passwords, security