After a widely publicised hack or data breach, you’ll often find “password check” sites springing up.
Some of them are legitimate, asking only for your email address and checking it against a list of known data dumps.
→ Dumps are the files that typically circulate on the Underweb after a hack, containing as much or as little personally identifiable information (PII) as the thief cares to share; legitimate password check sites collect these to build a list of probably-hacked email addresses.
But other “password check” sites are as bogus as they sound on the surface.
They ask you to type in your login details, either into a clone of a regular site’s login page, or into a nicely-worded “you can trust us, honest, guv” page of their own.
That sounds like phishing, doesn’t it?
And the reason it sounds like phishing is that it IS phishing!
So, if you don’t know how to recognise legitimate password check sites, assume that they are all bogus, and simply stay away.
Having said that, here’s a password check site which has a sense of humour, as well as teaching a handy lesson.
In the aftermath of the recent Associated Press Twitter hack, and of the Twitter attacks claimed by SEA, the Syrian Electronic Army, it’s not surprising to see a site named ismytwitterpasswordsecure dot com.
It was created by New York based web developer Alastair Coote, and it looks fairly straightforward:
You ought to spot the satirical comments that give you a hint that this is not your ordinary password checker, such as the warning that the recent AP hack was able to:
compel dozens of blogs to write breathless posts about the future of online journalism.
You wouldn’t type a real password or even a user name in there, would you?
You wouldn’t login to Twitter from a cloned login form on a completely different site, as should be obvious from the address bar, would you?
Who knows where your password will end up, except that it will probably be somewhere bad?
So, if you start to enter anything at all on this web page, you get Coote’s unreconstructed warning:
Do you see "twitter.com" in the address bar? No, you don't. Don't ever type your login and password to Twitter on a site that isn't twitter.com. Same with Facebook. And LinkedIn. I guess what I'm trying to say here is, don't be an idiot.
Short, sweet, and clear.
- Don’t click login links in emails.
- Check the address bar.
- And watch out for the HTTPS (secure HTTP) padlock in the address bar whenever you are entering PII of any sort, from passwords to account numbers.
Nicely done, Mr Coote: a fake fake site!