How the “Get Safe Online” password checker fails users—badly

An educational website that bills itself as the UK's top source for "unbiased, factual and easy-to-understand information on online safety" isn't living up to its promise. Not only is the password strength meter for Get Safe Online completely unreliable, it also transmits user-supplied candidates in address URLs, where they are vulnerable to hackers and shoulder surfers alike.

The sole exhibit in making this case is the above screenshot, showing how the Get Safe Online password checker graded the choice "Julia1984." As Ars chronicled two years ago, the password will typically fall in the first minute or so of a standard offline cracking session, because it contains an extremely common name followed by four digits, in a futile attempt to add randomness. Even worse, the digits are the year many people were born, making it more likely to be chosen than other numbers. All of that makes "Julia1984" among the worst passwords a user can choose. Despite this, Get Safe Online rates it "exceptional" and even goes on to say: "Flex those pecs, you're a Password Strongman (or woman)!" The password checker became unavailable sometime after the screenshot was captured on Wednesday morning.

In fairness, Get Safe Online isn't the only site that struggles to provide useful guidance about how susceptible a given password is to real-world cracking techniques. As Ars has reported in the past, similar services provided by both Intel and eBay have similar flaws. People who want to evaluate the strength of a password should rely on the advice provided by a reputable password manager such as 1Password or LastPass. In addition to being unreliable, online password checkers may also harvest passwords behind the scenes, making them unsuitable unless users have the skills needed to closely scrutinize the way the service works.

Read 3 remaining paragraphs | Comments