[ZoFreX]

> Get Safe Online is a jointly funded initiative between several Government departments and private sector businesses. In fact, we are the Government’s preferred online security advice channel.

There are adverts everywhere about it with obvious government endorsement.

It's not just that they send it over HTTP. It shouldn't send it anywhere, it should all be done client-side with JavaScript. It's more than "you made a little mistake" it's "who are you to tell people what is, or isn't, secure when you can't even manage the basics?"

[opendais]

I'm not from the UK and I never believe anything a company puts on its about us page. ;)

If they are doing statistical analysis on password, they'd have to send that information somewhere so I'm not surprised that they are.

Anyone who is concerned about security shouldn't be giving their password to a 3rd party to verify [even via a javascript webpage] for any reason.

Also: "(Never enter your real password into a password checker, as unlike this one, some may be fake)" From the page.

[daveslash]

I give this site to people so they can check the strength of their twitter password. I think it get's the point across. http://www.ismytwitterpasswordsecure.com

[Tyrannosaurs]

> Also: "(Never enter your real password into a password checker, as unlike this one, some may be fake)" From the page.

That's genius because scammers would never say something like that because that would be lying and people don't lie because it's naughty.

[opendais]

I read that and concluded they meant "Do not use a real password on this site"

[crashandburn4]

> Anyone who is concerned about security shouldn't be giving their password to a 3rd party to verify [even via a javascript webpage] for any reason.

I'd agree but I don't think anyone who reads hacker news is likely to use a password checker anyway. We all, however, know less technical people who could and would get compromised by something like this and to have it endorsed by the government sends the message that it is safe. That's the problem as far as I'm concerned.

[santosha]

It is done client side with javascript, in the results.js on the results page. If they'd put it on the original page, it would all have been client side. The only reason I can think of for doing it this way is statistics collection for later.