Services that test a password strength can help users in evaluating their passwords. Will it take days, years or even longer to crack a selected password? That’s what How Secure Is My Password will tell you.

Just head over to the service’s website and enter a password in the form. You do not necessarily have to enter a password that you use actively. You can alternatively enter a comparable password to find out how long it would take to hack your password with a brute force, or maybe a combined dictionary and brute force attack.

Experienced computer users know that they need to pick passwords that contain upper and lower case letters, digits as well as special characters to make it secure. Length suggestions vary from 12 to 16 in most cases. The How Secure Is My Password service suggests to use passwords with a length of at least 16 characters.

The password checker can be an eye opener for users who are using weak passwords. You can try out the service here or check our How Secure Is A Password guide for suitable alternatives.

But the service is not only displaying the time it would approximately take to hack your password, it also displays information and tips that can help you select a more secure password. In addition, it compares the selected password against the list of the top 10k passwords used on the Internet.

The estimated time to hack a password is based on the processing power of a modern desktop PC. Depending on the infrastructure used, it may take considerable less time to hack a password.

The common password approach is the one that could give him instant success if the user is really using one of those common passwords for his accounts. His next approach would be to brute force his way in by brute forcing the password on a website that has weak security. Those sites would not react if large amounts of password requests would come in in short time. Most sites however ban IPs at least temporary after several failed attempts, still no problem if you know how to use proxies to attack with different IPs.

But the brute force programs that he suggests are way outdated. Brutus ? wwwHack ? That’s last millennium. Current state of the art bruteforcers for basic authorization and form protected sites are C-Force or Sentry. The brute force approach has one disadvantage. If you do not know the username you have to try username and password combinations and there is no guarantee that you will discover the combination for the user that you want to hack. You could get login details for other users which are absolutely worthless to you. This means, bruteforcing is only an option if you know the username of the user.

There are actually two ways to bruteforce an account. The first would be to use pregenerated lists of usernames and passwords or try combinations to get into an account. The second to try every char combination possible. It should be noted that the second option could very well last several years or even centuries depending on the size of the selected password.

So, bruteforcing is not really an option and he is not explaining how he would get the username of the user in question except mentioning cookies. Cookies are stored on the targets machine which would mean that he needs either access to that machine or an exploit to get them while the user is online. Not very practicable.

So, what can users learn from his analysis ?

• Don’t overuse passwords, it’s more secure to use different passwords. If you only use one password someone who finds this one out gets access to everything else that is protected by that single password
• Don’t use passwords that are easy to guess or common. No names, no sport teams, relatives, pets, work related, hobbies , and so on
• Use numbers and special chars if possible to increase the security of the password. Remember that size matters.
• Write them down locally and put them in a safe or use a software that encrypts them. You could for instance use a True Crypt partition to store a textfile with your passwords in them
• Every password could be important to gain additional information about a user, never choose weak ones