Hacker News new | comments | ask | show | jobs | submit login
Should I Change My Password? (shouldichangemypassword.com)
155 points by jamesjyu on June 23, 2011 | hide | past | web | favorite | 100 comments

Can't this entire site be replaced with:

<html> <body> <h1>YES</h1> </body> </html>

In HTML5, both the <html> and <body> tags are completely optional, as are their closing tags. Since there's no other content on this "page", you don't need to close the header either, so you could replace everything with:


The title tag is required, though (unless you’re in an iframe), and an h1 tag must be closed (unlike, e.g., paragraph and list item tags). So your minimal page looks like:

  <!DOCTYPE html>





Dang, apparently so. Guess I was wrong.

The world's most inane objection: If you force the validator to HTML5 mode, (as in the first and second links) then you don't need to declare a DOCTYPE, a savings of 16 bytes. Not that you would ever do that for a real document, since it's a dumb idea.

forcing the validator to HTML5 mode would imply the doctype, wouldn't it, as the only way to force a browser to HTML5 mode is to include a doctype.

That's what I half expected the page to be, much like http://hasthelargehadroncolliderdestroyedtheworldyet.com

And a full refund if the LHC site you linked is wrong too!


And if it does, the page will be updated to "Yes.", right?

Close - It will update to "Yup." The source code reads:

    if (!(typeof worldHasEnded == "undefined")) {
    } else {
And, it even comes with a warranty:

> <!-- if the lhc actually destroys the earth & this page isn't yet updated please email mike@frantic.org to receive a full refund -->

Very Steve Jobs-ish. Yup. Nope.

That silly page have 6 of Pagerank... and i have years trying to get some of mine out of zero!

Which would be right bugger when you changed them all, went back to the site and found you had to change them again.

you forgot your <blink></blink> tags!

It'd be cool if they added an option to subscribe for $10/year for a quick SMS and email notification if your account is compromised. I'd get it for myself and my family.

"Here is the password I use for potentially important information, and here is the email and phone number that would likely be associated with that password. Let me know when your database get's hacked so that way I can change my password and we can do this exercise again."

Something like that you mean?

You don't need to give them your password or phone number, just the email address associated with your account(s). Adding a phone number would be optional.

You don't get it. If your account shows up in their database, then they'll have your email + password + phone number + any other data you provided.

What he means is this: you subscribe by telling the site your email. Then, if they ever find your email in one of the publicly released documents, then they will notify you by email.

What if your email is the account being compromised?

I guess thats why you might add a mobile number

Huh? You don't need to give them anything except for your email address. They only look for your email address in the compromised databases.

Yes you do if you subscribe for notifications.

I still don't understand. Why?

The OP comment was: "It'd be cool if they added an option to subscribe for $10/year for a quick SMS and email notification if your account is compromised. I'd get it for myself and my family."

To enable this - you are giving your email, password, Payment details and Cell Phone number. The site as it stands today doesn't ask for any of this -- but if they were to take payments and do SMS notification they would.

If we decided to do notifications I would expect users to not re-use passwords from other sites. I would also expect that such a service would require a trusted security brand behind it to work.

Thanks for the idea! Over the weekend me and a buddy launched a service that does exactly this. You can see it at www.hacknotifier.com - we'd love any feedback you have.

Yeah I'd probably buy it. And they'd get bought by Symantec or McAfee if the list gets big enough.

My first thought was that this would have fields for me to enter my email address and password, under the pretense of "we will test your password to see if it's secure". Wonder how many people you could get with that...

> Wonder how many people you could get with that...

From the lighttpd logs, 842 POST requests for 1834 GET requests from distinct IP adresses (and 1424/5896 overall), but we don't keep logs so I can't know what people submitted, I guess a good part of it is random typing and not really their password.

BTW, the fun is also (if not mainly) in the Terms and Conditions ;-).

Oh, and I host it, but the creator is a3_nm.

Please tell me I didn't just accidentally give my email to a Spam list.

I don't know, but you can always try someone else's email if you are curious.

For instance, apparently billg@microsoft.com should change his or her password, according to the site.

Pity that shouldichangemyemail.com doesn't exist yet. :-P

Just in case, I gave it root@localhost

It's not a scam of any sort. Happy to discuss with anyone who has concerns.

Terrible interface. I entered "password" and it told me "It looks like your passwords may be safe. No instances of compromise are recorded in this database. However, it's good practice to change your critical passwords regularly and ensure they are not re-used across multiple sites."

Why did I not enter an e-mail address like the light text in the input box says? Well, I let myself mislead by the header image.

You know it clearly says to enter your email address in the input field, right? Of course "password" hasn't shown up in the database…it's not an email address.

It's not clear at all. The only information that you should provide your email is that placeholder, which on my monitor is barely visible. The name and information is very misleading. Seriously, i think many people will enter their passwords there (at least those type of people who don't know they shouldn't provide passwords anywhere ).

Its true, a small number of people enter their passwords. The site has been updated with a quick check to prevent such behaviour. Thanks for the feedback.

Yes, re-read my last sentence.

I enter "1234" and "123456" Both said my passwords are safe.

I think not!

Am I the only one that feels uncomfortable with these kind of sites?

Anyway, I tried "abc124" and received: "It looks like your passwords may be safe. No instances of compromise are recorded in this database. However, it's good practice to change your critical passwords regularly and ensure they are not re-used across multiple sites."

How many people would fall for it if it first asked for e-mail, said it was safe, and then "test your password too?"

well, if it was actually safe to do, a password tester would be smart for a lot of people.

you might think that the phone number of that cute girl in that movie combined with her initials is a safe password, but if you check out some of the password lists that have popped up the last year you'll see that alot of people thought the same way.

Has anyone published stats on some of the password lists that have been released lately? I'd like to know if they still conform to some of the old 'rules' about common passwords and the like. How many are just words with a single digit at the end, how many include no digits. What percentage are dictionary words? What percentage are leet-speak-ified dictionary words, etc.

my passwrod, HUNTER2, is surely safe. I checked with some IT friends I met on IRC. Whenever I type my password, HUNTER2 - the rest of the world cant see it. So I am not worried.

Obligatory quote: http://bash.org/?244321

HN replaces passwords with stars too.

Please try it in your replies.

Downvoting? Come on - there is always delete button.

You're supposed to enter your email address... lol. There's a reason the text box says "Enter email here" and the bottom of the page discussed the "email entered will not be...". Also, it just doesn't make any sense to search by password.

Yes, I would be disturbed if a public site was reversing weak poor choices in hash algorithm and publishing data about the resulting passwords.

However, a "should I change my password site" that takes passwords as an input would be pretty simple, just save the entered password and then say "YES".

Well that's embarrassing. Yes, you're quite right, I read everything except that box and I the bottom text (which was just outside of my scroll view).

The only defense I can offer is that the name, introduction and the feedback text (which should at least check for "@") is kind off or misleading.

Anyway, my fault, I apologize to the web site creator.

I wish I could query using a hash of my email address. No matter how much their FAQ says they won't use the email for anything but a "single database query" It's hard to trust anyone. Even if this site is legit (I think they probably are) this would be quite the front for a spammer to collect addresses.

Trust is an issue no doubt and to some extent I wish I had partnered with a big security brand. However, the reality is that you give your email address to various parties all the time, and regardless of how malicious they are, they are rarely secure. Your email is already public, imho.

The site should treat @gmail.com and @googlemail.com as equal. I found my leaked MtGox mail address for one variant but not the other.

username+randomstring@g[oogle]mail.com should be normalized to username@gmail.com, as well. I used a custom extension for MtGox that wasn't found.

That said, really useful service. On the other hand it's sad that we actually need something like this.

The other way around, too. If I put in "pavel.lishin@gmail.com", it would be nice if it informed me that "pavel.lishin+iharvestbitcoinsalldumbday@gmail.com" was compromised.

And any variation with periods in the username: spoold@gmail.com == s.pool.d@gmail.com == spo.old@googlemail.com

Technically, username+randomstring@* should be normalized to username@* ; plus in email address is part of the standard.

Or instead of checking by email domains of individual accounts, add an option to search by the domain of the site you are concerned about.

I guess extreme caution is good. But saying to somebody Your email, username, and password have been compromised" strikes me as a little sensational.

Granted, the average user doesn't need to know or understand the vagaries of password hashes. But if somebody reads this, they should think "OMFG somebody can login to my email account!" I mean, that's exactly what it says. But there's no legitimate reason to believe that.

Moreover, if you look at MtGox, Google locked every account on that list and forced people to change their passwords. But if you're Joe User looking at this today, are you going to connect the dots enough to see that yes, you WERE in a data leak, but then you changed your password, but this site just didn't know about it and is informing you only of the leak?

There are some leaps that normal users won't make, agreed. It's not an easy problem. Either way I believe that raising awareness in non-techie populations is good.

If you have specific suggestions, I would be happy to discuss them.

Find the MD5 of your password and Google that.

Plenty of sites still store an unsalted hash in the database and these are often compromised.

If your hash turns up in a rainbow table in Google's index, definitely change it to something more secure (longer, more symbols).

I'm not sure that sending the MD5 of your password out over the wide internet is such a great idea. After all, if the bad guys didn't have an easy-to-crack hash of your password yet, you may have just given it to them!

(Yes, I know that sniffing such things is not trivial. Still.)

Google publicly shares popular queries in search box.

If you are persistent with testing your password hash you risk making that hash public.

So why should I trust someone who asks me to type my password into a random site? Just because he/she says they will not save it?

If you've entered your real password(s) there, you've already failed the test.

Also a whois on that domain doesn't even return a person's information, some proxied info only (might be scared of law enforcement since he might have the hacked DB data, but even so, if I didn't trust it, I trust it even less now).

You enter your email address, not your password.

My bad then.

Thanks for all the feedback guys, your comments are noted. We're working hard on the next iteration of the website as well as trying to ease general concerns about whether we store passwords etc at this point. Please drop twitter: @dagrz a line if you have a direct question or want to keep up with how we're tracking on the project! Thanks for the discussion all!

If you share your password across different sites: Yes - you should change it to a non-shared password. There are plenty of password managers that can store randomly generated passwords for you. And if you don't like that there's also PwdHash, although this is less secure as someone might be able to compromise your master password.

As a test, I took one of the email addresses from the list of Arizona law enforcement addresses that lulzsec just released (http://lulzsecurity.com/releases/chinga_la_migra_1.txt).

ShouldIChange site reports no instances of compromised records in it's db.

Yeh there way too many lists of 1-5000 email/passwords available on the web. I'm talking thousands if not tens of thousands. It's just too hard to find and add them all. If you find it hard to think about the website as being a comprehensive answer to password problems, think of it as an awareness raiser in the general public. :)

EDIT - I just saw the sources page for the ShouldIChange site: https://shouldichangemypassword.com/sources.php

Strangely, the exact moment I received the email from mtgox, gmail told me I have to change the password. I wonder if they had a trigger for that message, or did someone really try to access my account (different password, so very unlikely)

The Gmail team downloaded the database of mtgox user account information that was leaked, matched gmail addresses to gmail accounts, and then proactively notified those Gmail users to change their passwords.

Nice timing then. I was browsing my gmail and at the same time received mtgox notification on my mobile and got locked out on the browser - assumed the notification email was a trigger.

Wow I didn't hear about that. Can you provide a source? EDIT: http://news.ycombinator.com/item?id=2672037

Sources are mentioned in the FAQ and top page: https://shouldichangemypassword.com/sources.php

It's checking the e-mails on those databases.

Here, let me save you some time:

If you're asking, then YES. You should change your password.

Edit: I get what this is doing, and it's a neat idea... But the answer is still always YES if you ask that question.

It would be nice if it also did username+.*@gmail.com searches for us who use the feature to make spam email addresses.

Thanks. I think you just saved me some hassle. Pretty sure it was compromised in the perlmonks hack.

I was confused be cause I typed "password" into that box and it told me I was safe.

That's because you're supposed to enter an email-address, not a password.

I entered the e-mail address of my PS3 account. Apparently my password is safe...

Bad news for bill gates (billg@...) but good news for Steve Jobs (sjobs@...).

If you ask yourself that question, you should change it.

Privacy policy?

Useful, even if I thought I'd see a big-ass "YES" and nothing else.

so, can someone answer this for me?

I have a personal domain on google apps. The login ID is different than the email address I use/advertise.

e.g. my username for login is first-initial+last-name@[domain].com

But the email address I use for everything on that account is first-name@[domain].com

This service states that my account was compromised on 12/12/2010 most recently at the first-name@[domain].com though you could not login to my account with that email address...

So - how valid is such a check. Also - without it showing what information it is checking against, it feels really spammy. as if they are asking you to enter your email for a "check" knowing that you will enter a valid email - then they harvest the email as valid for spam.

It's referencing these sources: https://shouldichangemypassword.com/sources.php

To me this means that my password is out there, and now a part of someone's dictionary. Change all places where that password is used immediately. I am currently moving to LastPass with randomly generated 16-32 char passwords for every site. It's less of a pain than one might think.


It says it's using the perlmonks.org database, and I _know_ my password was revealed there (thanks to me foolishly reusing it on twitter), but it's not showing that against my email address...

I think the site is referring to some service/site that got hacked recently and that you signed up for with the first-name@[domain].com email adress and not to the email account itself.

Then it makes it COMPLETELY useless information. You know how many thousands of sites I used various email addresses on, clearly everyone else is the same.

It should tell you which sites were compromised such that you can ID if you used your email at any of said sites.

Just saying ambiguously that there was a site which may have been compromised out of the 2 billion sites online is laughable.

I would argue that it's not completely useless as the average person re-uses the same password everywhere. Even if you do it across a small number of sites it could easily start a chain reaction.

In fact, I would say that prompting the average person to change some passwords either way, is a good thing.

When in doubt, change your password. Then change it again.

I got the exact same date for my gApps-hosted domain. Odd.

That's the date of the Gawker hack.

So any Google-served address is marked as vulerable because of the Gawker hack?

No, the google address is a red herring. My non-google account is listed as compromised on the same date due to a Gawker account I had registered. Many google accounts were compromised in other events on other dates.

My mistake. I thought my Gawker account was on another address, but a quick search shows I got the hint.io mail on 12/13.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact