There's not much point in complaining about joke websites (it presents just a single password that is always the same) like this existing, simply because statistically it is expected that some people will build them for a laugh. They are harmful though, because some people enjoy spreading fake advice like this; and often they will gain traction.

For the more ethically inclined amongst us the best course of action is probably to add this 'password' to some of the lists of common passwords out there, to help password strength utilities to filter it out on the level of 'correct horse battery staple' ­— an excellent password in itself, but used as an oft quoted example and thus not suitable for actual use.

I think it'd be even better if they delved into the math behind why this password is so secure. It should then become apparent that the site is satire, and that the site doesn't randomly generate secure passwords.

Bonus points to only have the password below-the-fold so that those who aren't going to read the explanation will be less likely to copy, paste, and carry on.

Ideally, as mentioned in an earlier comment, the password could be seeded through the browser's fingerprint to allow the joke to remain (it'll be the same password upon refreshing) but still won't be as damaging for those who don't get the joke (it's still not cryptographically secure).

I just checked it using

https://www.ssllabs.com

And it gets a grade of A.

So that is definitely the password I'm going to use from now on!

Oh, and here's a useful function:

/* Returns a random integer that was determined by a fair roll of a dice. */

function randomInt() { return 4; }

It's a good joke, but a somewhat dangerous one.

The general principle is that humor does not scale. With enough users, the probability that a joke will be misinterpreted approaches 1.

I'm reminded of Al Franken's latest book where he talks about having to run what he says through the DeHumorizer now that he's a politician.

I laughed.

But then I thought about the users who don't know any better and might stumble onto this site. They aren't stupid. They just don't know any better, and a lot of education attempts can go over their heads. Worse yet, sites with poor password policies (seemingly every online banking site in existence, workplaces, sites with 16 character maximums, etc.) reinforce bad practices in their minds, while attempts at explaining the problems are forgotten. I'd probably explicitly note that it's a joke, especially if someone tries to copy the password. :)

Is this a joke? Because this is already added to password crack dictionaries now...

If it is a joke, then they need something to indicate that, and very blatantly at that. Because there's a great deal of people who'd see that and not give it a second thought to use it.

I don't know about all of you, but I'm going to use H4!b5at+kWls-8yh4Guq for my password everywhere. No way any of you will be able to crack it!

Even if this site was not a joke, I wouldn't trust an online password generator, especially if the pass is generated on the backend instead of the client. A quick Google for 'password generator' yields hundreds of these sites which are more than likely run by the same outfit and are possibly logging the passes into a database to make cracking various accounts easier.

There's a few PW generators which run on the client only and don't send any requests to third parties, and I use them sometimes. They are typically very JS heavy and use different seeds to generate sufficient entropy, like client fingerprint, mouse co-ordinates, timezone, etc

This is irresponsible. Some developer's aunt will see this on facebook and actually use it.

They typed in hunter2, but all I see is * * * * * * *.

Here is what I use (notice that I omit zero and the letter O):

$ ./LinPass.sh luser

xTJ2B2X3

$ ./LinPass.sh luser

JzILD3qd

$ ./LinPass.sh luser

IzlXki81

$ cat LinPass.sh

#!/bin/bash

id "${1}" > /dev/null

if [[ $? -ne 0 || -z "${1}" ]]

then echo -e "Usage: $0 logname [pw]\n\treset logname's pw & force chg"

     exit

fi

if [[ -z "${2}" ]]

then while [[ $pw != [A-NP-Za-np-z]* ]] || # Begins with a letter

           [[ $pw != *[1-9]* ]] ||           # Has a number

           [[ $pw == *[^A-NP-Za-np-z1-9]* ]] # Has nothing else

     do pw=$(openssl rand -base64 6)         # Safe random source

     done

else pw="${2}"

fi

#echo "${pw}" | passwd --stdin "${1}"

#chage -d 0 "${1}"

echo "${pw}"

#http://brandonhutchinson.com/wiki/Linux_Password_Policy #chage -m 7 -M 90 -W 14 hutchib; #chage -M 85 -W 5 -I 5 "${1}"

Unamused. If anything, ambiguous characters should have been excluded. It's a very small reduction of keyspace in exchange for not entering the wrong passwords because of glyph similarities.

Either you're expected to remember these 20-character monstrosities (which is going to be beyond the abilities of most people with 5+ accounts), or more likely you're going to be reading them from a password manager.

Being ISO-compliant is all well and good, but it's been shown many, many times that making password restrictions this extreme causes more problems than it solves.

This is an absolutely terrible idea. At least randomly generate a new password every time you visit the page.

Any internet noob searching for the most secure password might actually use it.

I think this is brilliant. Culling the herd.

... and then there are stupid websites like Baidu which limit your password to 16 characters.

Those names doesn't exist. So, it's really a joke

this one is better: https://passweird.com/

No spaces? Not secure enough. ( :p )

H4!b5at+kWls-8yh4Guq it is then!