Thursday, January 01, 2009

Quick antispam observation

One thing I've been doing recently is removing my membership of a load of websites that I don't seem to have used in a long time. One side effect of not using a website in a long time is that I forget the password I created for the account, so I get to see how the website handles failed login attempts. Often, quite a few times :-(.

Now, some of these sites - and I've been notifying the owners as I go - give you a different failure message if you get your password wrong or your e-mail address. This is, to quote the twitterverse, made of fail. It means these websites can be used to automatically generate lists of the members' e-mail addresses; useful to spammers, phishers (remember that the list is based on being a member of a particular site, so it's easy to target the phish at that site) and even for later trying to compromise accounts on that site. I'd really avoid being a member of any site whose login page worked like that, and try to get them to change their error messages.

2 comments:

Martin said...

Happy New Year Graham,

time for a New Year's Resolution : Keep track of all the passwords to the sites that you subscribe to.

There are plenty of tools around now to help with this.

leeg said...

Thanks Martin, happy new year to you too :-). I already do have a password manager (based on one of the keychains on one of my computers), but some of these sites I haven't used in so long they pre-date that management system. For instance, I've had to remove myself from some undergrad sites. However, I believe we're covering 1password at the next OxMUG meeting.