Google Blogoscoped

Forum

Google password rating dictionary recognizes "gdrive" and "glinux" keywords

David Bloom [PersonRank 1]

Saturday, January 6, 2007
12 years ago11,279 views

You can get a "password strength" rating from Google by using www.google.com/accounts/RatePa ...]. This is used by the "change password" page on Google Accounts to show a bar indicating password strength.

This rating not only considers password length, capitalization, and the use of numbers as well as letter, but also the use of various dictionary words.

For example, www.google.com/accounts/RatePa ... , www.google.com/accounts/RatePa ... , and www.google.com/accounts/RatePa ... all give the lowest possible rating of "1", because "password", "gmail", and "google" would be insecure passwords for a Google account. www.google.com/accounts/RatePa ... and www.google.com/accounts/RatePa ... both give a rating of "2".

Interestingly, www.google.com/accounts/RatePa ... gives a rating of "3", even though similar passwords of the similar length and complexity such as www.google.com/accounts/RatePa ... or www.google.com/accounts/RatePa ... give the highest rating of "4". I also observed that www.google.com/accounts/RatePa ... has a rating of "3" even though www.google.com/accounts/RatePa ... and www.google.com/accounts/RatePa ... have a rating of "4".

TOMHTML [PersonRank 10]

12 years ago #

Maybe they just use their index? "Gdrive" is in 882000 pages, "GLinux" in 22000, my passwords in 0 page.

Sam Davyson [PersonRank 10]

12 years ago #

Is it safe to Google your passwords? Hmm I guess so. They appear in your search history – but to see it you need the password anyway.

Ramibotros [PersonRank 10]

12 years ago #

If it's being googled server to server then there's no problem and it doesn't mean it should appear in ur search history.

David Bloom [PersonRank 1]

12 years ago #

Sam:

Google logins use SSL encryption but Google web search does not use encryption, so it is not safe to Google your passwords.

Pierre S [PersonRank 10]

12 years ago #

Moreover, if it's a specific password, it might get spotted. Not very interesting though.
But Googlers say they see really weird thing on the live query screens at Google

David Bloom [PersonRank 1]

12 years ago #

Also, it is possible to use clever CSS to reveal whether a visitor to your website has visited a specific URL (for example: #foobar:visited { background: url(' example.com/user_has_visited?i ...); }). Although the simple CSS example I provided requires a server callback, with more elaborate code this is not necessary and all processing can be done in Javascript (for IE/Opera, use a javascript: URL as the background; for Mozilla, attach a XBL binding to the :visited and detect based upon a constructor call). Basically, this could be used to easily run a dictionary or even brute force attack on your password by tricking you into visiting a page.

FerRory [PersonRank 1]

12 years ago #

I think the 1 too 4 ratio is a little bit of cr*p because my most insecure password I use, only letters is four.

Scott [PersonRank 0]

12 years ago #

Hmm....
A lv 4 password is pretty secure eh?

I think I'm going to run out and change my pass to something more secure like dogcatrat
www.google.com/accounts/RatePa ...
cause it is just as secure as my old password:
dogcatrat553495248985699!4059
according to G:
www.google.com/accounts/RatePa ...!4059

ketra [PersonRank 0]

12 years ago #

you may want to look at:
nion.modprobe.de/blog/archives ...

Ludwik Trammer [PersonRank 10]

12 years ago #

> Basically, this could be used to easily run a dictionary or even brute force
> attack on your password by tricking you into visiting a page.

I think it's easier to run dictionary attack on your password itself ;) You would notice if page attempted to load page with links to every possible world ;) And Google's search URL's differs depending on many factors. For example my search URL goes like this – google.pl/search?hl=en&lr= ...

Brian Mingus [PersonRank 10]

12 years ago #

For the 1 trillion word corpus they recently released, they considered any string that occured more than 200 times a word, IIRC.

David Bloom [PersonRank 1]

12 years ago #

Ludwik:

It's not hard to determine what someone's Google search URL format is – for example, a HTTP referrer header could be used to determine it.

Haochi [PersonRank 10]

12 years ago #

"1[put at-character here]3" (without quote) is a pretty secure password. :) Lv. 4.

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!