Skip to content
Kashif Ali

Why Intel’s “How Strong is Your Password?” site can’t be trusted

May 8, 2013 arstechnica.com
Intel

A new website published by chipmaker Intel asks readers "How Strong is Your Password?" and provides a form for estimating the strength of specific passcodes. It's too bad the question isn't "How Strong is your Password-grading site," because the answer, unfortunately, is "not very."

The most glaring problem with the site is its failure to use standard HTTPS Web encryption. Based on the secure sockets layer and transport layer security protocols, HTTPS ensures that a Website being accessed is authentic and operated by a legitimate entity, as opposed to a knock-off page created by someone who is able to control the end user's Internet connection. It also encrypts traffic sent between the end user and site to prevent anyone else from eavesdropping. It wouldn't take much effort for someone to create a convincing replica of the McAfee-powered site and substitute it for the real one on a network in a coffee shop, at a conference, or in another setting. At that point anything a visitor typed could be sent to the attacker. Authoritarian regimes have also been known to inject code into legitimate sites to log account credentials.

To be sure, there are caveats. The site instructs users: "PLEASE DO NOT ENTER YOUR REAL PASSWORD," but I'd bet some percentage of users will ignore this request. Even then, the attack wouldn't reveal the user name corresponding to the password, or even the service or site they belong to. Still, the attack could be used in campaigns aimed at a specific individual or group to gain important insights about the passwords the targets use. More importantly, I'd expect a site with a goal of educating the masses about password security would tell users they should never enter a password on a plain HTTP connection. And I certainly expect Intel and its McAfee subsidiary to offer HTTPS on their own sites. The lack of encryption and authentication is surprising. I'd strongly discourage readers from entering any passwords they trust or use to secure important accounts.

Read 4 remaining paragraphs | Comments

  • passwords

Post navigation

Previous: Escrow Scams Searching New Avenues
Next: With critical 0-day exploits circulating, Microsoft and Adobe report fixes

Archives

Tags

Adobe Android anonymous Apple Biz & IT censorship Crime Cybercrime Cybersecurity Data loss data protection DDoS Exploit Facebook FBI Featured hack hacking Hacks and Cracks https intellectual property iphone Law & order Malware Mobile NEWS & INDUSTRY OS X passwords phishing politics privacy Scam Social networks Spam SSL Stuxnet Surveillance Tech The Courts The Ridiculous Twitter Uncategorized Vulnerability Windows Zero Day
Powered by WordPress | Theme: Design by obaydulla