If I enter a password on the wrong site, should I consider it compromised?

Just to play the devil advocate...

You are as likely to be compromised as if you were using the same password on both site*.

As most people have pointed, you probably don't have to worry. Not so much because a website cannot make the difference between a good or wrong password but rather because most websites that you will visit will likely not log your password. The reason is simply that it provides no value to them. Most websites are there to do legitimate business and hence see no value in being malicious by recording every password entered.

Still, if I had evil intention and wanted to gather many possible passwords, hosting a service online to gather passwords would probably be a better alternative than trying to brute force every possible combinations. Catching all passwords, even bad ones, is not a bad idea if you are hosting that kind of "service". Users that have multiple passwords are very likely to enter the wrong passwords on the wrong site, hence logging bad attempts as well as good attempt is a good attack plan.

For example consider this quote from https://howsecureismypassword.net/

This site could be stealing your password… it's not, but it easily could be.
Be careful where you type your password.

It put things in perspective. Also, is such evil "service" so unlikely? It's hard to say but for sure it's nothing new: https://xkcd.com/792/

Note*: Well, I did say "as likely" but it's not exactly true. By using the same password on many sites you are not only vulnerable to malicious sites but also to the incompetence of site owners. Many websites still store your password in plaintext in their database or use weak hashing, which means that if an attacker is able to steal their database your password is compromised.


You're probably fine - there is no particular distinction between a wrong password for the right site and a right password for the wrong site. Even if there was, the site which received the wrong password wouldn't know what site it was supposed to be used on.

And that is before considering that it would be uncommon to log passwords for failed login attempts.

No harm in changing it, but unless you use the name of the other site as the password, it seems unlikely that anyone could make use of the information.


While I imagine most sane web developers wouldn't log cleartext versions of failed password attempts, it's still possible. If you want to be on the safe side you can consider it compromised and reset that password; however, I personally wouldn't really consider it an issue unless I felt beyond reasonable doubt that the first site could potentially present a risk to me.