Suggestion: Free password strength checker

dcblack56

As a result of unfruitful attempts to get my IT staff to adopt a company password manager (specifically 1Password for many reasons - e.g., cross-platform Windows/macOS/Linux), I am trying to find a decent free utility to measure password strength (not generate). They share passwords at this company via e-mail (ugh!). When I point out that they are weak passwords, in addition, they often change them (sometimes with improvement). By having a measuring tool, which would hopefully suggest using a password manager (e.g., 1P), perhaps they will start to get the right idea.

If you had a free cross-platform utility that prospective customers could download to check password strength, perhaps I could:

1. Get them to use it (because it would be free)
2. Get them to see the value of AgileBits tools
3. Eventually move to the next stage

I think this has to be a downloadable App because:

1. If you use a web-based approach, you may not trust it once you've entered a candidate password because it has now been sent over the web. Thus the act of checking would invalidate the checking.
2. A well-written app would demonstrate your company's programming skills.

I also suspect it would be pretty easy for you to create such an app because you already have all the components in 1P.

Jack.P_1P

Hey @dcblack56:

While it's definitely a solid idea, the truth is it's a little bit trickier than it sounds to make a judgement call on a password in isolation. In short, there's no way for a tool to determine the specifics of how a password was generated after the fact, without having been the one that generated it and stored the password itself.

For example, three separate passwords:

• fYADUM.ko9GTvWpY7grM, a strong securely generated password I just made randomly in 1Password.
• password123, a password that is very clearly a weak password created by an individual.
• n!Um9q-jcokqoTqfnAyr, a password that on the face of it looks just as strong as the first password created by 1Password, but is in fact a password mandated by an organization, written down on a memo in the break room, and all employees are required to use it for their corporate accounts.

Without the context of knowing that from an organizational policy all employees use the same password, a tool operating in isolation would rank passwords 1 and 3 roughly equivalent. Given this, it's best to look at the password practices of an organization as a whole, using some sort of password management solution, rather than trying to evaluate a single password at a time.

Let me know if that makes sense, or if you'd like me to dig in a bit further with you!

Jack

dcblack56

I understand your points.

Convincing an organization that doesn't want to listen is generally more difficult.

It's funny because the IT guy insists we change our personal passwords every 6 months and the tools make sure we don't recycle old ones. He also tells us to your different passwords on different machines. So far, so good. Then the guys in the organization right next to him, give us logins for resources they manage and everybody gets the same weak passwords. I use 1PW to manage mine and I am always amused to see the complaint about how weak the passwords are.

I'm not really in a position to change anything (just a contributing employee -- not in management). We're a small company (40-50), but we should still be concerned IMNSHO.

Jack.P_1P

Hi @dcblack56:

Indeed, that's always the tricky part. If you're in the position to have your decision makers reach out to us at support@1password.com, we'd be happy to dig into it deeper with the people who have the final say.

Jack