aGoodL0ngPa$$w0rd IS NOT a good long password

I recently came across this password strength checker from Microsoft. While giving users feedback about the relative strengths of their passwords is a good way to help them choose good passwords, I also wanted to illustrate how current password strength checkers often fall short of their goals.

Case in point, both "aGoodL0ngPa$$w0rd" and "$3cretPa$$word" were rated as best passwords.

Yet both of these would be easily guessed by a password cracking program supporting leet speak.

No comments: