An idea to check password strength?

Discussion in 'other security issues & news' started by acr1965, Jul 16, 2013.

Thread Status:
Not open for further replies.
  1. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Wondering if I could get some feedback on an idea I had about checking password strength. If passwords are stored on a server and kept by md5 hash, would it be recommended to check the md5 of your password then do a google search of that md5 to see if any results appear? I tried it and no results are present. Any thoughts about this?

    I used the following site for the md5 http://www.miraclesalad.com/webtools/md5.php

    What other methods are passwords stored on servers?
     
    Last edited: Jul 16, 2013
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Re: An idea to check password strength & md5 check?

    I don't like the thought of searching for such things on google as it becomes part of their search suggestions. There are plenty of offline password tools for generating secure passwords.
     
  3. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Re: An idea to check password strength & md5 check?

    I agree with xxJackxx. I wouldn't Google my passwords or hashes that come from them.

    You could use something like KeePass's password generator function. Paste your passwords in and see how strong it rates your passwords in bits. You can only do one at a time but at least it's not on the web.

    (Or in the FWIW category... rather than testing them, just make them decent to start with. Make them at least 16 characters or longer (IMO, this is the most important thing), some upper case, some lower case, some special symbols and no dictionary based words. This should pass most tests pretty well.)
     
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    I've tested with an 8 character fake password and the md5 showed no search results. That was about a month ago...just tried the same md5 and it still showed no google search results. I have google suggest on and am signed in to google when I search. Still no results for the md5 hash.
     
  5. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I don't see how this would be useful. Do you think sites with password databases are going to let them get indexed by Google?

    Even if they did, how do you know if they're using an md5 hash? They could (should!) be salting them and if you don't know what data they used, you wouldn't be able to check.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    As SirDrexi said this won't be particularly helpful. It assumes an attacker has compromised your hashed password and then left it online somewhere, an dthat they use MD5 with no salt.
     
  7. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
Loading...
Thread Status:
Not open for further replies.