One thing I’ve been doing recently is removing my membership of a load of websites that I don’t seem to have used in a long time. One side effect of not using a website in a long time is that I forget the password I created for the account, so I get to see how the website handles failed login attempts. Often, quite a few times :-(.
Now, some of these sites – and I’ve been notifying the owners as I go – give you a different failure message if you get your password wrong or your e-mail address. This is, to quote the twitterverse, made of fail. It means these websites can be used to automatically generate lists of the members’ e-mail addresses; useful to spammers, phishers (remember that the list is based on being a member of a particular site, so it’s easy to target the phish at that site) and even for later trying to compromise accounts on that site. I’d really avoid being a member of any site whose login page worked like that, and try to get them to change their error messages.