My first thought was, “What if its a phishing site?” but then I even if it was, how much could they really do with just a password.

Posted by TrvlnMn on 10 September 02007 @ 2pm

Don’t feel too bad.

I tried this combo as a tester password:

xptdzdq1133h42184ststljhfrqdmsndvrjq

It was rated “mediocre”.

Posted by Josh on 10 September 02007 @ 3pm

I thought it was broken, too — until I tested one of my passwords.

Only 8 characters, all standard for US keyboards, but I got a score of “strong” (39). :-)

Posted by Tim McCormack on 10 September 02007 @ 10pm

It’s looking for at least eight characters, at least two non-alphanumeric characters, at least two numbers, and at least one uppercase letter. When mixed case and non-alphanumeric characters come into play, it gets way harder to launch an attack with rainbow tables. Given that, here are a few passwords that qualify as strong:

!@dle42D
#b1@rGh%
Me@hgd2!

Posted by Waldo Jaquith on 11 September 02007 @ 12pm

Sure, the computer thinks it’s strong, but how are you supposed to remember $flkj&K45F? It’s not exactly secure if I have to write it down and leave it next to my office computer.

Posted by Megan on 11 September 02007 @ 10pm

I think it’s pretty doable, as long as you use either mneumonics or goofy spelling equivalents. A ! can be an L or an i, a # can be an H, a @ can be an A, a + can be a T, etc. For instance:

The First Day Of The Week Is Sunday
TFDOTWIAS
+fd0+T!@S

Or, an example of the latter:

Moonflower
Mo0nf!0w3R

That said, passphrases are all together more secure. Better to have an entire sentence (“The first day of the week is Sunday”), which requires no crazy numbers or weird keyboard characters. And, as you rightly point out, they’re easier to remember.

Posted by Waldo Jaquith on 11 September 02007 @ 10pm