Structure and Interpretation of Computer Programmers

I make it easier and faster for you to write high-quality software.

Thursday, January 1, 2009

Quick antispam observation

One thing I’ve been doing recently is removing my membership of a load of websites that I don’t seem to have used in a long time. One side effect of not using a website in a long time is that I forget the password I created for the account, so I get to see how the website handles failed login attempts. Often, quite a few times :-(.

Now, some of these sites – and I’ve been notifying the owners as I go – give you a different failure message if you get your password wrong or your e-mail address. This is, to quote the twitterverse, made of fail. It means these websites can be used to automatically generate lists of the members’ e-mail addresses; useful to spammers, phishers (remember that the list is based on being a member of a particular site, so it’s easy to target the phish at that site) and even for later trying to compromise accounts on that site. I’d really avoid being a member of any site whose login page worked like that, and try to get them to change their error messages.

posted by Graham Lee at 12:12  

2 Comments »

  1. Happy New Year Graham,

    time for a New Year’s Resolution : Keep track of all the passwords to the sites that you subscribe to.

    There are plenty of tools around now to help with this.

    Comment by Anonymous — 2009-01-01 @ 13:13

  2. Thanks Martin, happy new year to you too :-). I already do have a password manager (based on one of the keychains on one of my computers), but some of these sites I haven’t used in so long they pre-date that management system. For instance, I’ve had to remove myself from some undergrad sites. However, I believe we’re covering 1password at the next OxMUG meeting.

    Comment by Graham Lee — 2009-01-01 @ 14:29

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress