While eating my dinner and watching the news I was struck by how the recent phishing attack against major email providers was a major news story. I was not struck because I thought it shouldn't be major news far from it. I was struck because the media normally never gets this stuff right!!
Last week I released some of the statistics from a project we worked on earlier in the year that revealed 92% of people use the same password for their email as they do for other sites. One of the more interesting stats was actually from the follow up survey where almost a third of Hotmail users believed their accounts had in the past been hacked.
Over the weekend many of them were, along with Yahoo and Gmail accounts, and the emails and passwords were published. They are easy to find on the internet with a few well chosen google searches.
This led me to a great way to promote my message of change your password.
Password Searching Service
My idea is to create a small app that lets people search to see if their email has been compromised, the application asks for their email and for security (and double opt'in for possible future mailing) requires they log in and confirm their email address, when they click the link. The system searches using a couple of google searches for possible passwords, and retrieves any it thinks are passwords that are associated with the user, it then displays these along with some randomly generated passwords on the screen.
The system will never know if it got the password right (the biggest issue with it) but it would provide user with extra confidence. Regardless the page would also leave a message telling them to change their password. If the system returns no results then it tells them such but suggests changing password to be on the safe side.
The question is would such a system be legal?
Expanded, reason I ask is because while the passwords are floating on teh web, to extract the users potential password would mean the system would have to access and parse the contents which are "stolen", of course the quick way to do this would be to store the lot but thats a quick way to a cell I would think.
I don’t think it would be illegal because it would be an opt in service with registration. But, more importantly, I don’t think it would work. Most folks that pass around hacked email/passwords don’t do it publicly. They mostly stay on their IRC channels or closed news groups. I think the big area where you might have some luck would be a few of the forums, but like I said not many divulge their data on there, just talk about it.
Actually doing the rounds on the web and on many websites right now are tens of thousands of passwords got in the latest phishing attempt,
http://news.bbc.co.uk/1/hi/technology/8292928.stm
It took about 2 minutes and only a smidgeon of logical thinking to find a dozen or so sites with the passwords and being indexed in part by Google.
the issue which I should have put up, is that to “find the users specific password” the app would need to open and read the page containing the passwords and extract data.
Since the data is “stolen” you would have in effect be a accessory to the theft, even linking to it is a grey area you may remember TVLinks sites problem.
I personally think it would be a cool idea Tim, although depending on who long it takes to make, people may have recitified the situation by the time the tool comes out?
I’m pretty sure it would be legal, just put a handy T&C in there to be safe
- Glen
Problem is the service would knowing be opening and reading “stolen” passwords and there would be no way to not open and read other peoples passwords while processing the html file. So while you might have the permission of one person you don’t of the rest.
Do you need to search the passwords at all? If there’s a list of emails and passwords, then just return whether the email is in the list.
I can’t see that being on the wrong side of the law.
but would you trust a service that just returned the data you provided?
I think for it to work and to shock people into doing something it needs to return the password or something the user didn’t give you. Though you would still need to read the list so would still be having the same problem.
Unless you simply return positive everytime and never read the list of course
The issue is less with what data is returned but more by reading the data in the first place.
Responses to this post: