iamleeg

One thing I've been doing recently is removing my membership of a load of websites that I don't seem to have used in a long time. One side effect of not using a website in a long time is that I forget the password I created for the account, so I get to see how the website handles failed login attempts. Often, quite a few times :-(.

Now, some of these sites - and I've been notifying the owners as I go - give you a different failure message if you get your password wrong or your e-mail address. This is, to quote the twitterverse, made of fail. It means these websites can be used to automatically generate lists of the members' e-mail addresses; useful to spammers, phishers (remember that the list is based on being a member of a particular site, so it's easy to target the phish at that site) and even for later trying to compromise accounts on that site. I'd really avoid being a member of any site whose login page worked like that, and try to get them to change their error messages.

Anonymous said...

Happy New Year Graham,

time for a New Year's Resolution : Keep track of all the passwords to the sites that you subscribe to.

There are plenty of tools around now to help with this.

January 01, 2009 12:13 pm

Graham Lee said...

Thanks Martin, happy new year to you too :-). I already do have a password manager (based on one of the keychains on one of my computers), but some of these sites I haven't used in so long they pre-date that management system. For instance, I've had to remove myself from some undergrad sites. However, I believe we're covering 1password at the next OxMUG meeting.

January 01, 2009 1:29 pm