Earlier today I tweeted:
Spoiler: Your password is a lot less secure than you think :: howsecureismypassword.net
Several followers wrote back, asking some variation of “why would you willingly type your password into a website for no reason?” Subtext: “You idiot.”
Two points:
No one says you have to type your real password. Try something with similar parameters. If your password is “dogDOGrep33t,” you could try “catCATrep33t.”
All of the testing is client-side, happening in your browser. Don’t believe me? Save the site as a web archive, turn off your internet, and launch the web archive. Still works.
Could nefarious people hack the site, injecting a script so that it records all the passwords typed into it? Theoretically, sure. Almost any site you visit could be hacked, including this one.
But what would hacking this site actually get someone? It’s not hard to find lists of actual passwords people use. Without being able to match passwords to user names, there’s not much benefit.
And anyway, refer back to #1. Stop panicking.
The site is a useful way to figure out what kinds of passwords are more (or less) secure. For example, did you know “fidelio” and “kubrick” are in the top 10,000 passwords, and would be cracked instantly?
This site doesn’t obviate the usefulness of 1Password or two-step verification or any of the other technologies designed to keep data safer. But trying out various options encouraged me to use a better login password for my MacBook Air, something which actually needs to be a plain old string of characters.