If I enter a password on the wrong site, should I consider it compromised?

Question

I have recently started to make use of a password manager and good password practices. I have a different password for each site that I use.

If I accidentally use the password from another site when logging in to a webpage, should I consider the password compromised and change it?

E.g.

If my password for www.example.com was passwordOne
And my password for www.ejemplo.com was contraseñaUno
And I accidentally try to log into www.example.com with password contraseñaUno

Would I need to update the password for www.ejemplo.com?

I can see a similar but different question here, but that relates to the password being entered into the username field.

Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/31641/discussion-on-question-by-jonnywizz-if-i-enter-a-password-on-the-wrong-site-sho). — Rory Alsop, Nov 16 '15 at 12:12

score 50 · Accepted Answer · edited Nov 16 '15 at 15:31

50

Just to play the devil advocate...

You are as likely to be compromised as if you were using the same password on both site*.

As most people have pointed, you probably don't have to worry. Not so much because a website cannot make the difference between a good or wrong password but rather because most websites that you will visit will likely not log your password. The reason is simply that it provides no value to them. Most websites are there to do legitimate business and hence see no value in being malicious by recording every password entered.

Still, if I had evil intention and wanted to gather many possible passwords, hosting a service online to gather passwords would probably be a better alternative than trying to brute force every possible combinations. Catching all passwords, even bad ones, is not a bad idea if you are hosting that kind of "service". Users that have multiple passwords are very likely to enter the wrong passwords on the wrong site, hence logging bad attempts as well as good attempt is a good attack plan.

For example consider this quote from https://howsecureismypassword.net/

This site could be stealing your password… it's not, but it easily could be.
Be careful where you type your password.

It put things in perspective. Also, is such evil "service" so unlikely? It's hard to say but for sure it's nothing new: https://xkcd.com/792/

Note*: Well, I did say "as likely" but it's not exactly true. By using the same password on many sites you are not only vulnerable to malicious sites but also to the incompetence of site owners. Many websites still store your password in plaintext in their database or use weak hashing, which means that if an attacker is able to steal their database your password is compromised.

edited Nov 16 '15 at 15:31

grg

155
1
1
8

answered Nov 12 '15 at 16:34

Gudradain

6,921
2
26
43

This is a good point - and the reason why the reputable breach checking websites don't ask for passwords. Instead, they ask for email addresses, and check if they have turned up in data breaches. A password without a corresponding account identifier should be pretty much useless, except as an entry in a long list of "potential passwords". – Matthew Nov 12 '15 at 16:39
3

@Matthew Well, most site ask for an email address as a username. The user will be reusing that same address on every site. So, once the attacker got a username/password combo he just has to try a few common sites like facebook, google, stackoverflow, etc. – Gudradain Nov 12 '15 at 16:45
This would apply to a malicious site, which isn't the situation mentioned. There is no attacker in this case – Matthew Nov 12 '15 at 20:21
5

@Matthew He never said if the site is malicious or not. For all we know, any site we don't control could be malicious. – PyRulez Nov 12 '15 at 20:44
6

Surely not "as likely". When you use the same password, your password (or a hash) is sure to be saved on site1 and site2. A hacker who gets the database, can try to recover your password. With just a password attempt, chances are muich much greater the password used for the attempt itself is not logged. – Konerak Nov 13 '15 at 09:01
@Konerak: Only incompetents and malicious guys save the login-password, cleartext or encrypted, as a properly salted hash is sufficient for the purpose and cannot feasibly be reversed. And whether the site is honest or not, it could be compromised, whether using social engineering (bad employees or black-mail, including the legal kind), physical access or hacking. – Deduplicator Nov 13 '15 at 11:35
Deduplicator: I agree. You just strenghten my argument. – Konerak Nov 13 '15 at 11:51
@Konerak I agree. Edited the answer to take this into account. – Gudradain Nov 13 '15 at 14:11

score 37 · Answer 2 · answered Nov 12 '15 at 14:39

37

You're probably fine - there is no particular distinction between a wrong password for the right site and a right password for the wrong site. Even if there was, the site which received the wrong password wouldn't know what site it was supposed to be used on.

And that is before considering that it would be uncommon to log passwords for failed login attempts.

No harm in changing it, but unless you use the name of the other site as the password, it seems unlikely that anyone could make use of the information.

answered Nov 12 '15 at 14:39

Matthew

27,233
7
87
101

4

Also if the username (email) used is the same, it becomes more likely that it could end in a dictionary somewhere. – Mindwin Nov 12 '15 at 18:44
8

It's very plausible that malicious site log failed password as it's not uncommon at all to write the wrong password on the wrong site when you have many passwords to remember. Also, you seem to vastly overestimate the work needed to find the right service when you already have a possible username/password combo. Just take the 1000 most popular services and you have pretty good chance to get a successful login. 1000 tries is nothing when you are trying to crack passwords. – Gudradain Nov 12 '15 at 20:05
@Gudradain There is a distinction between a malicious site, and an accidentally visited site. A legitimate site which you happen to type the wrong password into is unlikely to log passwords. A malicious site is a different issue – Matthew Nov 12 '15 at 20:10
3

Because telling which site is malicious and which site is not is very easy. Right? – Gudradain Nov 12 '15 at 20:22
@Gudradain In this case, yes. If you type your Facebook password into a Twitter login box, it won't be logged, it won't be used against you. Ditto vice versa. This is not about phishing attacks, where the site is actively trying to obtain details – Matthew Nov 12 '15 at 20:26
1

@Gudradain OP told he has an account in both sites, he just confused his two passwords... Why would he have an account in a suspicious site? – Mr. E Nov 12 '15 at 20:51
1

@Mr.E Because, even if it's a site you visit frequently, it's very hard to say if that site doesn't have a side business of cracking password. For all I know, stackoverflow could be logging all my password attempts if they want. – Gudradain Nov 12 '15 at 20:54
21

@Matthew However we can never know. **Practically** speaking, password logging for failed attempts are almost never an issue. However **realistically** speaking, there's no guarantee. Back in 2008, I was contracted to do some dev work on a vBulletin-powered forum with several million users. During the upgrade to several modules, I happened to find that one of the php scripts had a different timestamp than everything else. That's when I found out that every login attempt was being logged for at least 6 months, and nobody knew about it. Shit happens. – Nov 12 '15 at 21:06
Even if the site-owners are pretty good guys, why depend on their security being spotless? And why depend on them being honest more than neccessary? They might cooperate with whoever silently for any reason they deem sufficient, like laws. – Deduplicator Nov 13 '15 at 11:28
@Gudradain I think this is not in the scope of the question. How do we know OP doesn't have a keylogger? Is his password manager vulnerable? There are millions posibilities, would you recommend changing your password each time you use it just cause website could be storing it? I think not... – Mr. E Nov 13 '15 at 12:27

score 26 · Answer 3 · answered Nov 12 '15 at 14:34

26

While I imagine most sane web developers wouldn't log cleartext versions of failed password attempts, it's still possible. If you want to be on the safe side you can consider it compromised and reset that password; however, I personally wouldn't really consider it an issue unless I felt beyond reasonable doubt that the first site could potentially present a risk to me.

answered Nov 12 '15 at 14:34

d0nut

876
7
13

3

Im not sane, I am just too lazy, though I have considered it. – TheHidden Nov 12 '15 at 16:37
2

My question would be, "With programs like lastpass making it so easy to change your password, why NOT change it?" At the very least, it will give you peace of mind, and that's worth a LOT. – Rick Chatham Nov 12 '15 at 19:36
If you have lastpass then yea might as well go change it but I didn't make the assumption that they did. The general gist of what I was saying is this: *If you are actually worried, change it, otherwise if you don't have reason to suspect anything of the website you accidentally spilled the beans to (i.e. google) then you should be fine.* – d0nut Nov 12 '15 at 20:21
1

Why "cleartext versions"? Even if its reversible-encrypted, the malevolent site owner or hacker who can reverse, has the pass. – Konerak Nov 13 '15 at 08:59
1

@Konerak Normally you don't encrypt passwords. You hash them which is not a reversible process. – d0nut Nov 13 '15 at 14:20
@iismathwizard, yes, hence the "even". You SHOULD hash them, but this answer said "logging cleartext is a vulnerability". I wanted to add "even logging encrypted is". – Konerak Nov 17 '15 at 07:50
@Konerak where did i say that? – d0nut Nov 17 '15 at 14:24

score 19 · Answer 4 · answered Nov 12 '15 at 15:46

19

The only case in which I would change this password is if the site it secures is substantially more important to you than the site you typed it into.

For an example, there are people in the world who have access to systems that nation-state actors would be interested in. If those people were to type their important password into some other site, they should change it immediately.

answered Nov 12 '15 at 15:46

kd8azz

291
1
3

2

I think this is a good hard and fast rule for the situation. – d0nut Nov 12 '15 at 15:47
13

I wonder what would happen if someone acted as a "honeypot user", supplying a different bogus password to each of a large number of sites and then watching for attempts to use those passwords at some particular site? If someone generates a random string and uses it as a password to acme.example.com, but doesn't distribute it anywhere else, and there is subsequently an effort to use that string to log in to one of that person's accounts, that would seem to imply someone at acme.example.com leaked it. If acme.example.com is supposed to be secure, such behavior could give them a black eye. – supercat Nov 12 '15 at 18:08
1

@supercat: Yes. But that means you need to log of which wrong passwords were used, for at least one popular service you use, at least for your own account. Meaning you have to set it up with the owners. Quite difficult to organize, and might warn the bad guys, depending on who they are... Still, a nice idea. – Deduplicator Nov 13 '15 at 11:39
2

@Deduplicator: The idea would be that the owner of one of the services would create the honeypot and thus be in a position to watch for one of the evil passwords (not by logging all passwords, but rather via mechanism which is set to only record specific wrong passwords on a specific user). – supercat Nov 13 '15 at 14:06

score 9 · Answer 5 · answered Nov 12 '15 at 17:53

Treat the password as compromised. Nobody can assure you that

the site has no rogue sysadmins.
the site has hashed or encrypted passwords.
they lack sql-injection vulnerabilities that allows to retrieve data, including usernames/emails/passwords.
anyone accessing this data will dare to test intrusion in several other sites and you will be so unlucky that they will hit that very one.

As long as it exists the slim possibility that any or all of the above are true, you have a compromised password.

As a rule of thumb, password gone, is password void. Change it and sleep.

Another different history is whether you actually want to lose your time changing a password that protects nothing (ie empty blog, useless email account,...) or your bank account.

score 7 · Answer 6 · answered Nov 12 '15 at 17:17

The term "compromised" isn't a binary yes or no. Its a concept measuring who has access to an account, and how much their goals may contrast with yours.

In this case, assume anybody who might have had access to logins on www.example.com now has your password. This includes anyone who has hacked www.example.com and any employees whom www.example.com's leadership would trust with enough access to harvest passwords from users (maybe a handful of DBAs).

That's all the data. Go from there. If you used a password used to safeguard classified information on a forum, you should treat it as compromised immediately, because that level of exposure is unacceptable for such a privileged account. If you used one forum's password on another, probably not the biggest deal.

In the middle, you might consider the case where you used your bank account password on a forum. That's a grey area that depends entirely on your personal threat model.

Steve Jessop · Answer 7 · 2015-11-13T03:51:02.673

If the site (well, person behind it) is malicious, then it will add the failed password to the list of things it knows about you, and will certainly consider the tactic of trying it on every other account it knows about. As such, you should consider it compromised.
If the site is incompetent, then it might somehow leak your failed password. But if it does this, it will also be leaking a lot of slight typos of its own passwords, which is really rather serious for them. So it has to be really rather incompetent.
If the site is basically normal then you're fine, it won't keep any record of failed passwords (or successful ones, for that matter, other than the hashed and salted record).

Note that sites which themselves have been compromised, can reasonably be considered malicious.

So, you need to consider the balance between the risk that they're very malicious or very incompetent or very hacked, and the associated cost of the password being compromised, against the cost to you of changing that password.

If you fear that the risk might be significant, then change the password. This is usually very easy when using a password manager, it's not like you have to learn the new one. However, your effort is very likely unnecessary, since most websites are "basically normal" most of the time.

You should also think carefully about what led to the mistake. The fact that you entered your credentials into the "wrong site" is an understandable mistake, but make sure you aren't systematically failing to properly verify the identity of sites before entering credentials, or else you're vulnerable there.

score 2 · Answer 8 · answered Nov 13 '15 at 14:24

If you have entered the password of website A in to website B,

Consider few aspects- How trusted Web B is? Is Web B a renowned corporation Complying with market standards? Are the contents of Web A really vulnerable? Is there any way to guess from the password which website does it belong to?

If you are confused on any of these questions, just change it.

You will Never know whether the WebManager/ SysAdmin is storing the password as a Raw text or Decodable encryption in the server, or they are securing it by one way hashing.

score 1 · Answer 9 · answered Nov 16 '15 at 09:30

Was the site where you typed the wrong password facebook.com ?

http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

You'd probably be better off presenting this as an example of how an incorrectly input password could result in it being compromised...then it would be a clear answer in the context of the original question. — R15, Nov 16 '15 at 10:15

score 0 · Answer 10 · answered Jan 28 '16 at 22:43

Let's equip our Legendary [Tinfoil Hat].

Can websites log my passwords?

Let's assume the website did their hashing correctly. When you log into a website, they are able to take your plaintext password and compare it to the stored hash. If the passsword matches the stored hash in the database, it will allow you to authenticate. If not, it will inform you that your password is invalid.

So what?

Well, it so happens that anyone with a modicum of programming knowledge could log invalid passwords by adding a new line to an authentication method for any kind of website... even if it's a popular, open-source web portal, forum, or any kind of package. As long as the source can be modified, one can change anything they want, like so:

private void CheckPasswordBeforeHackingMyAOL-CD(string input, string username)
{
    if (IsValid(input) && IsValid(username) && Bcrypt.TestHash(input, Database.GetHashForUser(username))
    {
        AuthenticateMyFace();
    }
    else
    {
        Database.LogFailedAttemptDetailsWithParametersBecauseSQLInjectionSucks(username, input);
        InformUserThatTheirPasswordDoesntWorkButDontTellThemWhatWereReallyDoing();
    }
}

In fact, a programmer could do this before hashing for everything having to do with passwords. There's nothing stopping anyone from doing it.

Risk Management

Here are some questions to consider:

Do you care about the integrity of either account?
Is the same email in use in both accounts?
Do you use the same password for both the email and website(s) in question (I hope not)?

If yes to 1-3, I would recommend changing your password. Unless you just don't care.

Now that we've shown this is possible on every front, should you be afraid of such an attack? I wouldn't worry about it. If you are worried, then you should probably use something like KeePass to manage website credentials so you legitimately don't have to worry.

If I enter a password on the wrong site, should I consider it compromised?

10 Answers10

Can websites log my passwords?

Risk Management