An educational website that bills itself as the UK's top source for "unbiased, factual and easy-to-understand information on online safety" isn't living up to its promise. Not only is the password strength meter for Get Safe Online completely unreliable, it also transmits user-supplied candidates in address URLs, where they are vulnerable to hackers and shoulder surfers alike.

The sole exhibit in making this case is the above screenshot, showing how the Get Safe Online password checker graded the choice "Julia1984." As Ars chronicled two years ago, the password will typically fall in the first minute or so of a standard offline cracking session, because it contains an extremely common name followed by four digits, in a futile attempt to add randomness. Even worse, the digits are the year many people were born, making it more likely to be chosen than other numbers. All of that makes "Julia1984" among the worst passwords a user can choose. Despite this, Get Safe Online rates it "exceptional" and even goes on to say: "Flex those pecs, you're a Password Strongman (or woman)!" The password checker became unavailable sometime after the screenshot was captured on Wednesday morning.

In fairness, Get Safe Online isn't the only site that struggles to provide useful guidance about how susceptible a given password is to real-world cracking techniques. As Ars has reported in the past, similar services provided by both Intel and eBay have similar flaws. People who want to evaluate the strength of a password should rely on the advice provided by a reputable password manager such as 1Password or LastPass. In addition to being unreliable, online password checkers may also harvest passwords behind the scenes, making them unsuitable unless users have the skills needed to closely scrutinize the way the service works.

Even worse is the transmission of "Julia1984" in plaintext. This unfortunate design choice by the Web application developers allows anyone on the same unsecured network as the Get Safe Online visitor to sniff the password candidate. And because it's transmitted in the URL, the design may also make it possible for people in physical proximity to the user to view it. This violates one of the core tenets of security that passwords should be a closely guarded secret.

Get Safe Online lists an impressive roster of partners and supporters that includes widely respected security providers and financial services. It's unclear if any of them provided their consent to be included on the page. But given the low value of the advice and the unsafe handling of user password candidates, they should consider having their names removed until the site cleans up its act.

Post updated in the second paragraph to note the password checker was no longer available and in the third paragraph to add details about safer alternatives for evaluating password strength.