Your Peace of Mind is our Commitment

Contact Us English Recent Articles

More Advice to Beware Of

First published: 26th October 2020

Allan Dyer

Receiving an email referring to an old article is pleasing, if it shows that people are still reading them and finding them useful. However, it is less pleasing when the email appears to be auto-generated based on topic keywords, and it seeks to promote a dubious webpage. It becomes almost comical when the article referred to is about bad advice.

The email said:

I was using the password tool and tips you mentioned on your page here:

While it does the job overall, I found another tool to be a better alternative. I thought other users might also appreciate it if you update your page.

It is clear and free:

It creates passwords from words, that should be easier to remember, which is why I use it. For example, the word "benediction" will be b=nedicT10n - super easy to remember (you need at least one password to remember as a master password, no?)

Would you consider adding this tool to your page?

Why do I consider this email misleading?

What about the recommended page, is it useful? It offers a password-strength checker and "secure" password generator. There is a critical difference in the password-strength check to the "Search Space" calculator offered by Gibson Research and referred to in my previous article. The "Search Strength" calculator does its calculations locally, sending no data to the server. The password strength checker at sends the entered password to for checking and "improvement". This breaks possibly the most important rule of using passwords: Tell No-One Your Password.

Does it actually weed out bad passwords? Unfortunately, no. It gave a perfect score, 100/100, to the password "P@ssword1000" which I would criticise as being based on a dictionary word (possibly the most obvious and most used dictionary word for a password), using a predictable symbol for letter substitution and appending a simple number. Current password crackers would have little trouble cracking this "very strong" password.

At best, this password-strength checker is merely a bad implementation of a bad idea. At worst, it is a deliberate attempt to harvest passwords and passphrases of unwary users, and recommend passwords that the site owner knows.



More Information