The Dangers of Online Password Checkers
Recently we helped a non-profit organisation with some IT security awareness training. One of their users’ Facebook accounts had been recently compromised by a suspected case of bruteforcing. This is usually an automated attack which occurs when hackers use dictionary-based software to try “guess” the password securing the account.
But here is the interesting bit. The user already used an online password checker (howsecureismypassword.net) to test the robustness of their password. This online tool reassuringly informed them that their password “november2015” would take a whopping four years to hack.
A lot of password checking tools can be dangerous. They work on the assumption that hackers will use every combination of characters. But the fact is hackers are a lot more sophisticated than that. They use databases which concatenate common words which everyday humans use. Here at SecureClick, we recommend you use a password that is both long and random. A password such as “tenerife2016” is not secure because it’s not random enough. However, if I go to randomwordgenerator.com, I can generate three random words quickly. For this example, the words “easy”, “soap” and “platform” are generated. Concatenating these random words, I get a nice secure password of “easysoapplatform”. This would be memorable for most users whilst negating the need to write it down or store it electronically.
So, the next time you hear a data security expert on Sky News recommending that people to use a password checker to check the robustness of their passwords - remember that hackers are smarter than that. Password checkers can be a very crude tool and their results should be taken with a liberal pinch of salt.