
Should I Change My Password? - jamesjyu
https://shouldichangemypassword.com/
======
bryanalves
Can't this entire site be replaced with:

<html> <body> <h1>YES</h1> </body> </html>

~~~
chops
That's what I half expected the page to be, much like
<http://hasthelargehadroncolliderdestroyedtheworldyet.com>

~~~
yaix
Lol.

And if it does, the page will be updated to "Yes.", right?

~~~
HN_Addict
Close - It will update to "Yup." The source code reads:

    
    
        if (!(typeof worldHasEnded == "undefined")) {
            document.write("YUP.");
        } else {
            document.write("NOPE.");
        }
    

And, it even comes with a warranty:

> <!-- if the lhc actually destroys the earth & this page isn't yet updated
> please email mike@frantic.org to receive a full refund -->

~~~
grimatongueworm
Very Steve Jobs-ish. Yup. Nope.

------
jplewicke
It'd be cool if they added an option to subscribe for $10/year for a quick SMS
and email notification if your account is compromised. I'd get it for myself
and my family.

~~~
josegonzalez
"Here is the password I use for potentially important information, and here is
the email and phone number that would likely be associated with that password.
Let me know when your database get's hacked so that way I can change my
password and we can do this exercise again."

Something like that you mean?

~~~
mjschultz
You don't need to give them your password or phone number, just the email
address associated with your account(s). Adding a phone number would be
optional.

~~~
maratd
You don't get it. If your account shows up in their database, then they'll
have your email + password + phone number + any other data you provided.

~~~
cli
What he means is this: you subscribe by telling the site your email. Then, if
they ever find your email in one of the publicly released documents, then they
will notify you by email.

~~~
stingraycharles
What if your email is the account being compromised?

~~~
dagrz
I guess thats why you might add a mobile number

------
Scorponok
My first thought was that this would have fields for me to enter my email
address and password, under the pretense of "we will test your password to see
if it's secure". Wonder how many people you could get with that...

~~~
jerf
Implemented (not by me): <http://estatis.coders.fm/password-security-checker/>

------
JeffL
Please tell me I didn't just accidentally give my email to a Spam list.

~~~
simonsarris
I don't know, but you can always try someone else's email if you are curious.

For instance, apparently billg@microsoft.com should change his or her
password, according to the site.

------
aw3c2
Terrible interface. I entered "password" and it told me "It looks like your
passwords may be safe. No instances of compromise are recorded in this
database. However, it's good practice to change your critical passwords
regularly and ensure they are not re-used across multiple sites."

Why did I not enter an e-mail address like the light text in the input box
says? Well, I let myself mislead by the header image.

~~~
mostapha
You know it clearly says to enter your email address in the input field,
right? Of course "password" hasn't shown up in the database…it's not an email
address.

~~~
bigfun
It's not clear at all. The only information that you should provide your email
is that placeholder, which on my monitor is barely visible. The name and
information is very misleading. Seriously, i think many people will enter
their passwords there (at least those type of people who don't know they
shouldn't provide passwords anywhere ).

~~~
dagrz
Its true, a small number of people enter their passwords. The site has been
updated with a quick check to prevent such behaviour. Thanks for the feedback.

------
user9756
Am I the only one that feels uncomfortable with these kind of sites?

Anyway, I tried "abc124" and received: "It looks like your passwords may be
safe. No instances of compromise are recorded in this database. However, it's
good practice to change your critical passwords regularly and ensure they are
not re-used across multiple sites."

~~~
jacobr
How many people would fall for it if it first asked for e-mail, said it was
safe, and then "test your password too?"

~~~
boreacrat
well, if it was actually safe to do, a password tester would be smart for a
lot of people.

you might think that the phone number of that cute girl in that movie combined
with her initials is a safe password, but if you check out some of the
password lists that have popped up the last year you'll see that alot of
people thought the same way.

~~~
tseabrooks
Has anyone published stats on some of the password lists that have been
released lately? I'd like to know if they still conform to some of the old
'rules' about common passwords and the like. How many are just words with a
single digit at the end, how many include no digits. What percentage are
dictionary words? What percentage are leet-speak-ified dictionary words, etc.

------
bluehex
I wish I could query using a hash of my email address. No matter how much
their FAQ says they won't use the email for anything but a "single database
query" It's hard to trust anyone. Even if this site is legit (I think they
probably are) this would be quite the front for a spammer to collect
addresses.

~~~
dagrz
Trust is an issue no doubt and to some extent I wish I had partnered with a
big security brand. However, the reality is that _you_ give your email address
to various parties all the time, and regardless of how malicious they are,
they are rarely secure. Your email is already public, imho.

------
VMG
The site should treat @gmail.com and @googlemail.com as equal. I found my
leaked MtGox mail address for one variant but not the other.

~~~
ch0wn
username+randomstring@g[oogle]mail.com should be normalized to
username@gmail.com, as well. I used a custom extension for MtGox that wasn't
found.

That said, really useful service. On the other hand it's sad that we actually
need something like this.

~~~
pavel_lishin
The other way around, too. If I put in "pavel.lishin@gmail.com", it would be
nice if it informed me that
"pavel.lishin+iharvestbitcoinsalldumbday@gmail.com" was compromised.

~~~
spoold
And any variation with periods in the username: spoold@gmail.com ==
s.pool.d@gmail.com == spo.old@googlemail.com

------
encoderer
I guess extreme caution is good. But saying to somebody Your email, username,
and password have been compromised" strikes me as a little sensational.

Granted, the average user doesn't need to know or understand the vagaries of
password hashes. But if somebody reads this, they should think "OMFG somebody
can login to my email account!" I mean, that's exactly what it says. But
there's no legitimate reason to believe that.

Moreover, if you look at MtGox, Google locked every account on that list and
forced people to change their passwords. But if you're Joe User looking at
this today, are you going to connect the dots enough to see that yes, you WERE
in a data leak, but then you changed your password, but this site just didn't
know about it and is informing you only of the leak?

~~~
dagrz
There are some leaps that normal users won't make, agreed. It's not an easy
problem. Either way I believe that raising awareness in non-techie populations
is good.

If you have specific suggestions, I would be happy to discuss them.

------
knotty66
Find the MD5 of your password and Google that.

Plenty of sites still store an unsalted hash in the database and these are
often compromised.

If your hash turns up in a rainbow table in Google's index, definitely change
it to something more secure (longer, more symbols).

~~~
JoachimSchipper
I'm not sure that sending the MD5 of your password out over the wide internet
is such a great idea. After all, if the bad guys didn't have an easy-to-crack
hash of your password yet, you may have just given it to them!

(Yes, I know that sniffing such things is not trivial. Still.)

~~~
dennisgorelik
Google publicly shares popular queries in search box.

If you are persistent with testing your password hash you risk making that
hash public.

------
SocratesV
So why should I trust someone who asks me to type my password into a random
site? Just because he/she says they will not save it?

If you've entered your real password(s) there, you've already failed the test.

Also a whois on that domain doesn't even return a person's information, some
proxied info only (might be scared of law enforcement since he might have the
hacked DB data, but even so, if I didn't trust it, I trust it even less now).

~~~
JamieEi
You enter your email address, not your password.

~~~
SocratesV
My bad then.

------
student154
Thanks for all the feedback guys, your comments are noted. We're working hard
on the next iteration of the website as well as trying to ease general
concerns about whether we store passwords etc at this point. Please drop
twitter: @dagrz a line if you have a direct question or want to keep up with
how we're tracking on the project! Thanks for the discussion all!

------
grimatongueworm
As a test, I took one of the email addresses from the list of Arizona law
enforcement addresses that lulzsec just released
(<http://lulzsecurity.com/releases/chinga_la_migra_1.txt>).

ShouldIChange site reports no instances of compromised records in it's db.

~~~
dagrz
Yeh there way too many lists of 1-5000 email/passwords available on the web.
I'm talking thousands if not tens of thousands. It's just too hard to find and
add them all. If you find it hard to think about the website as being a
comprehensive answer to password problems, think of it as an awareness raiser
in the general public. :)

------
gst
If you share your password across different sites: Yes - you should change it
to a non-shared password. There are plenty of password managers that can store
randomly generated passwords for you. And if you don't like that there's also
PwdHash, although this is less secure as someone might be able to compromise
your master password.

------
viraptor
Strangely, the exact moment I received the email from mtgox, gmail told me I
have to change the password. I wonder if they had a trigger for that message,
or did someone really try to access my account (different password, so very
unlikely)

~~~
blantonl
The Gmail team downloaded the database of mtgox user account information that
was leaked, matched gmail addresses to gmail accounts, and then proactively
notified those Gmail users to change their passwords.

~~~
viraptor
Nice timing then. I was browsing my gmail and at the same time received mtgox
notification on my mobile and got locked out on the browser - assumed the
notification email was a trigger.

------
lostbit
Sources are mentioned in the FAQ and top page:
<https://shouldichangemypassword.com/sources.php>

It's checking the e-mails on those databases.

------
wccrawford
Here, let me save you some time:

If you're asking, then YES. You should change your password.

Edit: I get what this is doing, and it's a neat idea... But the answer is
still always YES if you ask that question.

------
mahyarm
It would be nice if it also did username+.*@gmail.com searches for us who use
the feature to make spam email addresses.

------
mmaunder
Thanks. I think you just saved me some hassle. Pretty sure it was compromised
in the perlmonks hack.

------
hogu
I was confused be cause I typed "password" into that box and it told me I was
safe.

~~~
espo
That's because you're supposed to enter an email-address, not a password.

------
tintin
I entered the e-mail address of my PS3 account. Apparently my password is
safe...

------
Tyrannosaurs
Bad news for bill gates (billg@...) but good news for Steve Jobs (sjobs@...).

------
some1else
If you ask yourself that question, you should change it.

------
kosei
Privacy policy?

------
Kwpolska
Useful, even if I thought I'd see a big-ass "YES" and nothing else.

------
phlux
so, can someone answer this for me?

I have a personal domain on google apps. The login ID is different than the
email address I use/advertise.

e.g. my username for login is first-initial+last-name@[domain].com

But the email address I use for everything on that account is first-
name@[domain].com

This service states that my account was compromised on 12/12/2010 most
recently at the first-name@[domain].com though you could not login to my
account with that email address...

So - how valid is such a check. Also - without it showing _what_ information
it is checking against, it feels really spammy. as if they are asking you to
enter your email for a "check" knowing that you will enter a valid email -
then they harvest the email as valid for spam.

~~~
IgorPartola
It's referencing these sources:
<https://shouldichangemypassword.com/sources.php>

To me this means that my password is out there, and now a part of someone's
dictionary. Change all places where that password is used immediately. I am
currently moving to LastPass with randomly generated 16-32 char passwords for
every site. It's less of a pain than one might think.

~~~
bigiain
Curious...

It says it's using the perlmonks.org database, and I _know_ my password was
revealed there (thanks to me foolishly reusing it on twitter), but it's not
showing that against my email address...

