AW: Passphrasecheckwebsites

Adrian 'Dagurashibanipal' von Bidder
Fri May 31 10:56:02 2002

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Fri, 2002-05-31 at 09:40, Mortimer Graf zu Eulenburg wrote:
> ->I really don't trust this site. I don't say the makers of the website
> ->have bad intentions, but I haven't tried the site out with any
> ->passwords that I actually use.
> ->What if they log your ip-adress and the password/passphrases you give
> ->them? Maybe I'm just paranoid, but I really don't trust them.

> The site is run by the governmental "deputy" for communication safety in
> Switzerland. I don=B4t have any problems in trusting the site but i have =
> admit being f.i the prime admin of yahoo i wouldn=B4t go and try my admin
> passwords there too. If all you wanna cover is some private .doc=B4s or
> .jpeg=B4s its all ok for me. Brilliant for any diskussion with your CEO t=
> his password is the prime threat for the companies IT-security.

The site is run by a swiss school, and apparently sponsored by the
'deputy for communication safety' (to use your word) of the canton of
zurich, not the one of Switzerland.. (why the canton zurich chose the
domain may tell you something about the arrogance of the
zurichois (huhu, any of these around? ;-), but I disgress.

But generally I'd agree with you that they probably do not log the
submitted passwords. The reason I do not trust the site is the absolute
lack of information presented. Generalisations like 'unix systems use
only the first 8 chars of a password', or the fact that they do not
publish the dictionary used, or the search algorithm assumed do not lead
me to trust in their classification of the passwords submitted.

I think to get a feel for the strength of a password, running crack
against ones own pwd db is more impressive: you get your password
acutally cracked, not only something like 'would probably by cracked

-- vbi

secure email with gpg   key id 0x92082481
                           key id 0x5E4B731F

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.0.7 (GNU/Linux)