Are you giving away your login details for all your accounts?

Note: This post is over 4 years old. It was first published in February 2007

Woah there! You’ve found yourself on an old article. Take note of the date before reading.

Ok I acknowledge that I’m no security expert and this probably isn’t a major security risk, but do you recognize this scenario?

You’re on some two-bit website trying to log in. Maybe its a royalty free photo bank, maybe a discussion board, or some random online game.You’re in a hurry, not thinking too hard, and suddenly find you’ve tapped in the username and password for your email account, or – even worse – your work VPN. It comes up as “incorrect username / password” so then you go on to try another likely candidate – and then another again. By the end of it you’ve hammered in pretty much every username and password you’ve used in the last 10 years.

Have you ever considered the possibility that this site is storing all the rejected username and passwords? They may be storing them with or without nefarious purposes, but either way, it’s a genuine possibility. It seems reasonably possible that if you were a nasty person, this kind of list would be useful for a dictionary attack. I’d love to be enlightened by an expert on this stuff.

Password security seems to be primarily a human problem… I’m no expert but I’m really intrigued to read more about this

2 comments