A new website published by chipmaker Intel asks readers "How Strong is Your Password?" and provides a form for estimating the strength of specific passcodes. It's too bad the question isn't "How Strong is your Password-grading site," because the answer, unfortunately, is "not very."

The most glaring problem with the site is its failure to use standard HTTPS Web encryption. Based on the secure sockets layer and transport layer security protocols, HTTPS ensures that a Website being accessed is authentic and operated by a legitimate entity, as opposed to a knock-off page created by someone who is able to control the end user's Internet connection. It also encrypts traffic sent between the end user and site to prevent anyone else from eavesdropping. It wouldn't take much effort for someone to create a convincing replica of the McAfee-powered site and substitute it for the real one on a network in a coffee shop, at a conference, or in another setting. At that point anything a visitor typed could be sent to the attacker. Authoritarian regimes have also been known to inject code into legitimate sites to log account credentials.

To be sure, there are caveats. The site instructs users: "PLEASE DO NOT ENTER YOUR REAL PASSWORD," but I'd bet some percentage of users will ignore this request. Even then, the attack wouldn't reveal the user name corresponding to the password, or even the service or site they belong to. Still, the attack could be used in campaigns aimed at a specific individual or group to gain important insights about the passwords the targets use. More importantly, I'd expect a site with a goal of educating the masses about password security would tell users they should never enter a password on a plain HTTP connection. And I certainly expect Intel and its McAfee subsidiary to offer HTTPS on their own sites. The lack of encryption and authentication is surprising. I'd strongly discourage readers from entering any passwords they trust or use to secure important accounts.

The other problem with McAfee's site is the methodology used to rate the strength of passwords. The site estimates that it would take six years to crack the passcode "BandGeek2014" (minus the quotation marks) and three months to crack "windermere2313". Last week, I shoulder surfed as Jens "Atom" Steube, the lead developer of the freely available ocl-Hashcat-plus password-cracking program, decoded most of a list of 16,000 cryptographically hashed passcodes that were leaked on the Internet several months ago. It took him less than 30 minutes to break both of those passwords.

Conversely, the site says it would take only two years to crack "nIGpkQ8s.W6". That's a password I randomly generated for the purposes of this article, one that likely could be cracked only through the computationally painstaking process of brute forcing. Because it contains 11 characters and uses numbers, symbols, and upper- and lower-case letters, there are 9511 possible combinations, a massive "keyspace" that could take real-world crackers years centuries to exhaust.

The Intel site doesn't explain how it arrived at the conclusion that "nIGpkQ8s.W6" is three times faster to crack than "BandGeek2014"—and ultimately it doesn't matter. What's important is that this site should never be trusted with real passwords and can't even be counted on to give realistic assessments about the relative strength of passwords. By asking users, "Are you hackable or uncrackable?" it's crossing uncomfortably close into what security guru Bruce Schneier calls "security theater."

In the coming month or so, Ars will publish a series of articles showing how passwords are cracked in the real world and techniques end users can follow to prevent these attacks. Stay tuned.