Websites Do Collect your Failed Passwords for security purposes and as common practice.
But just because someone owns a website doesn’t make them trustworthy.
There is a good reason to NOT make your passwords the same on all your accounts. As a website owner I have learned that it’s common practice for security plug-ins to collect “wrong passwords”. Have you ever forgotten your password and so you punch in all the passwords you have used since the dawn of man to try and guess the right one. Well I have. Until recently that is. When I was filling out the options boxes for my websites security plugin I was shocked when it asked me if I wanted to collect failed passwords on all my subscribers. I was surprised at first because of the implications.
Obviously the failed passwords could be used for unsavory reasons that you could just imagine. The reasons that security companies legitimately collect failed passwords is so they know when to trigger the brute force attack safety features to protect our websites. If the failed passwords are one of your old passwords or the phrase is off by just a digit or two then the security feature knows that it’s you and not a bot meaning, a cyber-bot trying to attack your website.
But if one was to collect those passwords and attach them to your accounts it would be an easy way to rob a person of all their hard earned income.
Brute force attacks are when a hacker sends a bot to try to log in to the administrative end of the website. The bot will try password after password until the system is exhausted of it’s resources and the hacker can easily enter. Once the hacker can log in under the “admin” user name then the hacker can go deep into the database and hide files that leave an open door for them to enter any time by a simple log in or sneaky back-door. Then they can collect all of your subscribers passwords and failed passwords for themselves. Or they can put any other action into motion to exploit your website and it’s e-mails.
Cyber attacks really piss me off! I was recently attacked by brute force. The only thing that stopped the hits on my login was a pluging called “force field”. Limit login attempts was no help. I even blocked the IP address and still no help. It was like the bot attached itself to my login and it wasn’t gonna stop till it found my password.
If you do start a WordPress free website make sure you don’t leave your user-name as the default “admin”. that’s what they try first. And second don’t make it “adm1n” that’s the second most common user name for WordPress sites. Both of these are a security risk.
So change your passwords often and use hi security phrases not words from the dictionary. Make each account a different phrase and keep them tucked away somewhere safe.