The Inquirer-Home

Get Safe Online's password strength test exposed plain text passwords

F4c3p4lm
Thu Jun 05 2014, 08:15

oops-mistake-signA PASSWORD STRENGTH TESTER provided by the government is testing our patience by acting, as it does, like a great big hole in the seat of your security trousers.

The Get Safe Online website is apparently the place to go for up to date, accurate information about UK security threats and issues. There we read that we have only two weeks before a Zeus malware botnet apocalypse lays a smackdown on computers, and we reluctanctly turned there for password advice when eBay let us down.

It looks like our trust is misplaced, however, as Hacker News has spotted that the website is about as security savvy as keeping large sums of money in wet paper bags on obvious display.

The password testing form could be a joke, but it isn’t. We found it by searching for “password tester” on the Get Safe Online website and landed right on it.

It says, "Take a few seconds to test the type of password you’re using, on our Password Strength Tester. (Never enter your real password into a password checker, as unlike this one, some may be fake). Why not get your family, friends and workmates to test their passwords too?"

We weren't quite sure how we were supposed to know whether this was one of those fake password checkers the site warns of, but perhaps we're just of a suspicious nature and so we persevered anyway.

It appears to be asking people to assess their passwords so that is what we thought we would do. We did it with a fake password, because we thought that that would make the most sense. We used "password", and the result caused palm to meet face.

The URL that was "http://www.getsafeonline.org/themes/passwrdcheck/index.html" was replaced with "http://www.getsafeonline.org/themes/passwrdcheck/results.html?password=password". This we considered to be no good at all.

Get Safe Online says that passwords are very important, and we agree. We would also say that it is bad form to put a password in a URL, whether it is real or not.

"Our passwords are the key to your online life. Whether shopping, banking, social networking, making payments, emailing or the many other things you do on the internet your passwords help to protect your identity and personal and financial information," says the outfit.

"The key to effective passwords is not only keeping them to yourself, but ensuring that they cannot be guessed or broken by criminals."

It is not a bad thing, really, and despite revealing the password being tested, the page does make some suggestions about improving passwords. The question is, should you accept its advice?

Get Safe Online told us that the blighted password strength tester was an unpopular part of its website experience. In fact it appeared to suggest that the majority of the visits have come from the INQUIRER.

"We added the password checker to our site a year ago to evaluate its usefulness as a tool to help educate the public on what makes a strong password," it said by way of explanation.

"It was never promoted or put in a prominent spot on the website, and we did not publicise it as we were testing it. This is borne out by the fact that since June 2013 we have only had eight visits - six of which were today, 4 June."

The 'never promoted' claim was questioned by IT security consultant Paul Moore who sent us in the direction of Twitter. There we found this non promotional activity that was repeated online by Kent Police and UK Trading Standards.

Promoted or not promoted, the spokesperson said that the tool has been stripped from the Get Safe Online webpage, which would makes sense, if that is what happened.

"We would never and have never asked anyone to enter their real passwords into any kind of tool - the checker clearly stated that people should not enter their real passwords," it added. "We have now made sure that the page is no longer available."

We checked. The password strength test is still there but the result of putting in your password is a 404 message... Albeit a 404 message that includes the password in plain text in the URL. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?