In HTML5, both the <html> and <body> tags are completely optional, as are their closing tags. Since there's no other content on this "page", you don't need to close the header either, so you could replace everything with:
The title tag is required, though (unless you’re in an iframe), and an h1 tag must be closed (unlike, e.g., paragraph and list item tags). So your minimal page looks like:
The world's most inane objection: If you force the validator to HTML5 mode, (as in the first and second links) then you don't need to declare a DOCTYPE, a savings of 16 bytes. Not that you would ever do that for a real document, since it's a dumb idea.
It'd be cool if they added an option to subscribe for $10/year for a quick SMS and email notification if your account is compromised. I'd get it for myself and my family.
"Here is the password I use for potentially important information, and here is the email and phone number that would likely be associated with that password. Let me know when your database get's hacked so that way I can change my password and we can do this exercise again."
You don't need to give them your password or phone number, just the email address associated with your account(s). Adding a phone number would be optional.
What he means is this: you subscribe by telling the site your email. Then, if they ever find your email in one of the publicly released documents, then they will notify you by email.
The OP comment was: "It'd be cool if they added an option to subscribe for $10/year for a quick SMS and email notification if your account is compromised. I'd get it for myself and my family."
To enable this - you are giving your email, password, Payment details and Cell Phone number.
The site as it stands today doesn't ask for any of this -- but if they were to take payments and do SMS notification they would.
If we decided to do notifications I would expect users to not re-use passwords from other sites. I would also expect that such a service would require a trusted security brand behind it to work.
Thanks for the idea! Over the weekend me and a buddy launched a service that does exactly this. You can see it at www.hacknotifier.com - we'd love any feedback you have.
My first thought was that this would have fields for me to enter my email address and password, under the pretense of "we will test your password to see if it's secure". Wonder how many people you could get with that...
> Wonder how many people you could get with that...
From the lighttpd logs, 842 POST requests for 1834 GET requests from distinct IP adresses (and 1424/5896 overall), but we don't keep logs so I can't know what people submitted, I guess a good part of it is random typing and not really their password.
BTW, the fun is also (if not mainly) in the Terms and Conditions ;-).
Terrible interface. I entered "password" and it told me "It looks like your passwords may be safe. No instances of compromise are recorded in this database. However, it's good practice to change your critical passwords regularly and ensure they are not re-used across multiple sites."
Why did I not enter an e-mail address like the light text in the input box says? Well, I let myself mislead by the header image.
You know it clearly says to enter your email address in the input field, right? Of course "password" hasn't shown up in the database…it's not an email address.
It's not clear at all. The only information that you should provide your email is that placeholder, which on my monitor is barely visible. The name and information is very misleading. Seriously, i think many people will enter their passwords there (at least those type of people who don't know they shouldn't provide passwords anywhere ).
Its true, a small number of people enter their passwords. The site has been updated with a quick check to prevent such behaviour. Thanks for the feedback.
Am I the only one that feels uncomfortable with these kind of sites?
Anyway, I tried "abc124" and received: "It looks like your passwords may be safe. No instances of compromise are recorded in this database. However, it's good practice to change your critical passwords regularly and ensure they are not re-used across multiple sites."
well, if it was actually safe to do, a password tester would be smart for a lot of people.
you might think that the phone number of that cute girl in that movie combined with her initials is a safe password, but if you check out some of the password lists that have popped up the last year you'll see that alot of people thought the same way.
Has anyone published stats on some of the password lists that have been released lately? I'd like to know if they still conform to some of the old 'rules' about common passwords and the like. How many are just words with a single digit at the end, how many include no digits. What percentage are dictionary words? What percentage are leet-speak-ified dictionary words, etc.
my passwrod, HUNTER2, is surely safe. I checked with some IT friends I met on IRC. Whenever I type my password, HUNTER2 - the rest of the world cant see it. So I am not worried.
You're supposed to enter your email address... lol. There's a reason the text box says "Enter email here" and the bottom of the page discussed the "email entered will not be...". Also, it just doesn't make any sense to search by password.
Yes, I would be disturbed if a public site was reversing weak poor choices in hash algorithm and publishing data about the resulting passwords.
However, a "should I change my password site" that takes passwords as an input would be pretty simple, just save the entered password and then say "YES".
I wish I could query using a hash of my email address.
No matter how much their FAQ says they won't use the email for anything but a "single database query" It's hard to trust anyone. Even if this site is legit (I think they probably are) this would be quite the front for a spammer to collect addresses.
Trust is an issue no doubt and to some extent I wish I had partnered with a big security brand. However, the reality is that you give your email address to various parties all the time, and regardless of how malicious they are, they are rarely secure. Your email is already public, imho.
I guess extreme caution is good. But saying to somebody Your email, username, and password have been compromised" strikes me as a little sensational.
Granted, the average user doesn't need to know or understand the vagaries of password hashes. But if somebody reads this, they should think "OMFG somebody can login to my email account!" I mean, that's exactly what it says. But there's no legitimate reason to believe that.
Moreover, if you look at MtGox, Google locked every account on that list and forced people to change their passwords. But if you're Joe User looking at this today, are you going to connect the dots enough to see that yes, you WERE in a data leak, but then you changed your password, but this site just didn't know about it and is informing you only of the leak?
There are some leaps that normal users won't make, agreed. It's not an easy problem. Either way I believe that raising awareness in non-techie populations is good.
If you have specific suggestions, I would be happy to discuss them.
I'm not sure that sending the MD5 of your password out over the wide internet is such a great idea. After all, if the bad guys didn't have an easy-to-crack hash of your password yet, you may have just given it to them!
(Yes, I know that sniffing such things is not trivial. Still.)
So why should I trust someone who asks me to type my password into a random site? Just because he/she says they will not save it?
If you've entered your real password(s) there, you've already failed the test.
Also a whois on that ___domain doesn't even return a person's information, some proxied info only (might be scared of law enforcement since he might have the hacked DB data, but even so, if I didn't trust it, I trust it even less now).
Thanks for all the feedback guys, your comments are noted. We're working hard on the next iteration of the website as well as trying to ease general concerns about whether we store passwords etc at this point. Please drop twitter: @dagrz a line if you have a direct question or want to keep up with how we're tracking on the project! Thanks for the discussion all!
If you share your password across different sites: Yes - you should change it to a non-shared password. There are plenty of password managers that can store randomly generated passwords for you. And if you don't like that there's also PwdHash, although this is less secure as someone might be able to compromise your master password.
Yeh there way too many lists of 1-5000 email/passwords available on the web. I'm talking thousands if not tens of thousands. It's just too hard to find and add them all. If you find it hard to think about the website as being a comprehensive answer to password problems, think of it as an awareness raiser in the general public. :)
Strangely, the exact moment I received the email from mtgox, gmail told me I have to change the password. I wonder if they had a trigger for that message, or did someone really try to access my account (different password, so very unlikely)
The Gmail team downloaded the database of mtgox user account information that was leaked, matched gmail addresses to gmail accounts, and then proactively notified those Gmail users to change their passwords.
Nice timing then. I was browsing my gmail and at the same time received mtgox notification on my mobile and got locked out on the browser - assumed the notification email was a trigger.
I have a personal ___domain on google apps. The login ID is different than the email address I use/advertise.
e.g. my username for login is first-initial+last-name@[___domain].com
But the email address I use for everything on that account is first-name@[___domain].com
This service states that my account was compromised on 12/12/2010 most recently at the first-name@[___domain].com though you could not login to my account with that email address...
So - how valid is such a check. Also - without it showing what information it is checking against, it feels really spammy. as if they are asking you to enter your email for a "check" knowing that you will enter a valid email - then they harvest the email as valid for spam.
To me this means that my password is out there, and now a part of someone's dictionary. Change all places where that password is used immediately. I am currently moving to LastPass with randomly generated 16-32 char passwords for every site. It's less of a pain than one might think.
It says it's using the perlmonks.org database, and I _know_ my password was revealed there (thanks to me foolishly reusing it on twitter), but it's not showing that against my email address...
I think the site is referring to some service/site that got hacked recently and that you signed up for with the first-name@[___domain].com email adress and not to the email account itself.
Then it makes it COMPLETELY useless information. You know how many thousands of sites I used various email addresses on, clearly everyone else is the same.
It should tell you which sites were compromised such that you can ID if you used your email at any of said sites.
Just saying ambiguously that there was a site which may have been compromised out of the 2 billion sites online is laughable.
I would argue that it's not completely useless as the average person re-uses the same password everywhere. Even if you do it across a small number of sites it could easily start a chain reaction.
In fact, I would say that prompting the average person to change some passwords either way, is a good thing.
No, the google address is a red herring. My non-google account is listed as compromised on the same date due to a Gawker account I had registered. Many google accounts were compromised in other events on other dates.
<html> <body> <h1>YES</h1> </body> </html>