A way to get people’s passwords (not phishing)

by Abhishek

  1. Create an interesting concept page, which looks like yet another “cool-app-you-can’t-live-without”, for e.g. An app to find your “past crush”
  2. Ask people to login using email and password upfront.
  3. Keep some annoying password rules so that people have to enter complex passwords (optional).
  4. Store those passwords as plain text in your database! (or simply email them to yourself)

Voila! Most likely you have that person’s email and the same password s/he uses for accessing that email.

Why do I think so? Well, in most cases, people use the same password everywhere as they don’t like to remember multiple passwords.

Agree? If yes, continue reading or else shift to next story! 🙂

So how do we avoid such scam as users? Well, I personally keep 3 different level of passwords.

  1. Easy — for all the new products I keep trying.
  2. Medium — for all the new products I keep trying with complex password rules.
  3. Hard — only email and bank accounts.

I also use 2-way authentication wherever it is available. I don’t save my own password in browsers or in password managers. Somehow I don’t trust them yet.

What do you think? Would love to hear your arguments and thoughts on this.

I am Abhishek Desai, co-founder of Digicorp and product manager of ReadBoard and BA Apps (We don’t store passwords in plain text! :)).

Since 2004, Digicorp is helping startups build meaningful and usable software products.