While eating my dinner and watching the news I was struck by how the recent phishing attack against major email providers was a major news story. I was not struck because I thought it shouldn’t be major news far from it. I was struck because the media normally never gets this stuff right!!
Last week I released some of the statistics from a project we worked on earlier in the year that revealed 92% of people use the same password for their email as they do for other sites. One of the more interesting stats was actually from the follow up survey where almost a third of Hotmail users believed their accounts had in the past been hacked.
Over the weekend many of them were, along with Yahoo and Gmail accounts, and the emails and passwords were published. They are easy to find on the internet with a few well chosen google searches.
This led me to a great way to promote my message of change your password.
Password Searching Service
My idea is to create a small app that lets people search to see if their email has been compromised, the application asks for their email and for security (and double opt’in for possible future mailing) requires they log in and confirm their email address, when they click the link. The system searches using a couple of google searches for possible passwords, and retrieves any it thinks are passwords that are associated with the user, it then displays these along with some randomly generated passwords on the screen.
The system will never know if it got the password right (the biggest issue with it) but it would provide user with extra confidence. Regardless the page would also leave a message telling them to change their password. If the system returns no results then it tells them such but suggests changing password to be on the safe side.
The question is would such a system be legal?
Expanded, reason I ask is because while the passwords are floating on teh web, to extract the users potential password would mean the system would have to access and parse the contents which are “stolen”, of course the quick way to do this would be to store the lot but thats a quick way to a cell I would think.