The worst part of this is that a lot of their advice for stronger passwords is idiotic and dangerous. They've taken methods that do increase entropy, but castrated them by making them systematic and predictable.
1. Using a multi-word passphrase is smart, but only if you generate it randomly. A novice reading their suggestion might think they can come up with a phrase that's meaningful to them. This is very bad advice and will lead to weak pass phrases, guaranteed.
2. The choice to delimit the words in your pass phrase with spaces/hyphens/title-case adds less than 2 bits of entropy to your password. If you do it the same way that everyone else does it (because Intel told you to), it adds zero bits. Randomly mixing in capitalization increases entropy. Predictably mixing in capitalization does not.
3. Adding numbers to your password is a red herring. The most likely effect that advice will have on a user is to encourage them to choose a pass phrase where a number fits in naturally, which will drastically reduce entropy since it constrains the types of phrases they might choose from.
And again, randomly throwing in numbers increases entropy. Predictably throwing them in does not.
4. Adding an exclamation, period, or question mark to then end of your pass phrase adds, again, less than 2 bits of entropy. Once again, random punctuation increases entropy, predictable punctuation does not.
And the icing on the cake is that their example "My 1st Password!" reinforces every possible bad interpretation a novice could make of their advice. Intel should really be ashamed of this piece of work.
I can't find it now, but my favorite such site was one that just took your password and replied with, "This password is completely insecure, because you just gave it away to a random web site on the internet."
Yeah, I was wondering at the time why someone didn't set up a site like that for "checking passwords" but really uses it to build up a database of good guesses for offline cracking when you've nabbed the hashes.
What are you going to do with it? That's right: nothing.
This webpage does not send the password home (confirmed with Wireshark). Even if you are under a MitM attack, this site would be the LEAST of your worries. This article is mere sensationalism and should probably be renamed "Why HTTP can't be trusted." What's that you say? HTTP open to MitM? Never!
I liked the fact that it complained about HTTP more than the fact that it's encouraging people to type their password into a random online site just 'cause it's by a "legitimate entity", whatever that means.
(Recommendations not to use your real password notwithstanding)
Really? If I were MITMing a person who accesses this site, I would make sure to tamper with the page so that it does send the password to a server under my control.
While I agree with the sentiment in the Ars article, it seems to suggest that your password is submitted to a remote server. The check is completely client-side though.
That's not their point. An unsecured site can easily be spoofed; a secured one would require either getting intel's ssl cert or convincing users to click through a big "dont trust this site" page in their browser.
The fact that they don't send the password just means that a MITM needs to put in slightly more work.
It's not possible to look at a password and determine how long it would take to crack it, without knowing how it was generated. All you can say is how long it would take _you_ to crack it. But just because a password looks hard to YOU, doesn't mean it's not a dictionary word in Bulgarian or something. There's no way for you to know.
It's also not possible to look at a password and determine long it would take to crack, even knowing how it was generated (to the reasonable extent I believe you implied, ie Bulgarian or English). Your password may happen to be the first word in a dictionary list or it could be the last word.
It is an inherently inaccurate probabilistic estimation of an attacker's methods, and does make any claim of being more than that.
It's always funny to see things from HN comments come back to HN in the form of articles a short while later. Is it just that the HN crowd are on the ball or are the journos reading HN comments?
I'd say at least most HN'ers are on the ball. I glanced over that original headline and thought, "gee, let's go test our password by giving it to someone we don't know, that sounds like a good idea" (sarcasm detector explodes).
I knew it couldn't be trusted, so I gave a spurious one (xkcd style), and it said that it'd take a majorly long time to guess. (But entropy per character was low, it was all lowercase!)
[+] [-] mistercow|13 years ago|reply
1. Using a multi-word passphrase is smart, but only if you generate it randomly. A novice reading their suggestion might think they can come up with a phrase that's meaningful to them. This is very bad advice and will lead to weak pass phrases, guaranteed.
2. The choice to delimit the words in your pass phrase with spaces/hyphens/title-case adds less than 2 bits of entropy to your password. If you do it the same way that everyone else does it (because Intel told you to), it adds zero bits. Randomly mixing in capitalization increases entropy. Predictably mixing in capitalization does not.
3. Adding numbers to your password is a red herring. The most likely effect that advice will have on a user is to encourage them to choose a pass phrase where a number fits in naturally, which will drastically reduce entropy since it constrains the types of phrases they might choose from.
And again, randomly throwing in numbers increases entropy. Predictably throwing them in does not.
4. Adding an exclamation, period, or question mark to then end of your pass phrase adds, again, less than 2 bits of entropy. Once again, random punctuation increases entropy, predictable punctuation does not.
And the icing on the cake is that their example "My 1st Password!" reinforces every possible bad interpretation a novice could make of their advice. Intel should really be ashamed of this piece of work.
[+] [-] jamieb|13 years ago|reply
http://www.theonion.com/articles/onion-twitter-password-chan...
[+] [-] mikeash|13 years ago|reply
[+] [-] patmcguire|13 years ago|reply
[+] [-] jerf|13 years ago|reply
I always remember this site for their Falso prover suite: http://www.inutile.ens.fr/estatis/falso/
[+] [-] SilasX|13 years ago|reply
[+] [-] jcaden|13 years ago|reply
What are you going to do with it? That's right: nothing.
This webpage does not send the password home (confirmed with Wireshark). Even if you are under a MitM attack, this site would be the LEAST of your worries. This article is mere sensationalism and should probably be renamed "Why HTTP can't be trusted." What's that you say? HTTP open to MitM? Never!
[+] [-] qu4z-2|13 years ago|reply
(Recommendations not to use your real password notwithstanding)
[+] [-] kijin|13 years ago|reply
[+] [-] fady|13 years ago|reply
:\
[+] [-] wmkn|13 years ago|reply
http://www.intel.com/content/dam/www/public/us/en/apps/passw...
[+] [-] thedufer|13 years ago|reply
The fact that they don't send the password just means that a MITM needs to put in slightly more work.
[+] [-] nnnnni|13 years ago|reply
[+] [-] qu4z-2|13 years ago|reply
This site would be much better if it took the time to "crack" the password you submitted.
[+] [-] gwillen|13 years ago|reply
[+] [-] personalcompute|13 years ago|reply
It is an inherently inaccurate probabilistic estimation of an attacker's methods, and does make any claim of being more than that.
[+] [-] _kst_|13 years ago|reply
Both are randomly selected 12-letter dictionary words (from /usr/share/dict/words on Ubuntu, excluding words with uppercase letters or punctuation).
[+] [-] _b8r0|13 years ago|reply
[+] [-] npsimons|13 years ago|reply
[+] [-] trebor|13 years ago|reply
[+] [-] pixelcort|13 years ago|reply
[+] [-] sethammons|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] katbyte|13 years ago|reply
[+] [-] timbre|13 years ago|reply
[+] [-] qu4z-2|13 years ago|reply
[+] [-] JoeKM|13 years ago|reply
[+] [-] chenyeric|13 years ago|reply
[+] [-] krapp|13 years ago|reply
Come at me bros.