Monday, March 31, 2014


Sometimes I will visit a web site that I haven't been to in a while--a site that requires a log-in, and that I know I once registered for but I'm not sure what I used for my password. So what do I do when I visit? I cycle through my standard list of passwords until I find the one that works for the site.

It occurs to me this would be a great way to phish for passwords. If the site keeps telling me that it recognizes my username, but not the password I just entered, I will eventually tell the site every password I can ever remember using. That way someone can get all of my passwords and steal my identity. Surely others have thought of this before (everyone else already knows about this one, right?). Maybe they're phishing right now, Maybe all my accounts are already compromised. Maybe I'm not really upyernoz.