First published: 26th October 2020
Allan Dyer
Receiving an email referring to an old article is pleasing, if it shows that people are still reading them and finding them useful. However, it is less pleasing when the email appears to be auto-generated based on topic keywords, and it seeks to promote a dubious webpage. It becomes almost comical when the article referred to is about bad advice.
The email said:
I was using the password tool and tips you mentioned on your page here: http://articles.yuikee.com.hk/newsletter/2017/06/b.html
While it does the job overall, I found another tool to be a better alternative. I thought other users might also appreciate it if you update your page.
It is clear and free: https://www.safetydetectives.com/password-meter/
It creates passwords from words, that should be easier to remember, which is why I use it. For example, the word "benediction" will be b=nedicT10n - super easy to remember (you need at least one password to remember as a master password, no?)
Would you consider adding this tool to your page?
Why do I consider this email misleading?
- My article was a warning, it is rather a stretch to describe it as a password tool and mentioning tips, so did the email author read the article?
- It does not clearly lay out the advantages of the alternative to whatever the author thought I was advising.
- It advises using the scheme of replacing letters in dictionary words with numbers or symbols, which is widely anticipated in password cracking tools and criticised in XKCD's "correct horse battery staple" scheme.
What about the recommended page, is it useful? It offers a password-strength checker and "secure" password generator. There is a critical difference in the password-strength check to the "Search Space" calculator offered by Gibson Research and referred to in my previous article. The "Search Strength" calculator does its calculations locally, sending no data to the server. The password strength checker at sends the entered password to https://www.safetydetectives.com/password-meter/ for checking and "improvement". This breaks possibly the most important rule of using passwords: Tell No-One Your Password.
Does it actually weed out bad passwords? Unfortunately, no. It gave a perfect score, 100/100, to the password "P@ssword1000" which I would criticise as being based on a dictionary word (possibly the most obvious and most used dictionary word for a password), using a predictable symbol for letter substitution and appending a simple number. Current password crackers would have little trouble cracking this "very strong" password.
At best, this password-strength checker is merely a bad implementation of a bad idea. At worst, it is a deliberate attempt to harvest passwords and passphrases of unwary users, and recommend passwords that the site owner knows.
