Related story: For some weird reason, I memorized the serial key for a very popular software (I must be fifteen then). Even today, I can recite the 25-letter key without a hitch. And I have used its first ten letters as a password to one of my accounts. Guess what? The password has been used 4000+ times before [1]. It's hard to digest the fact that there are at least a thousand people in the world who did the same thing.

[1]: https://haveibeenpwned.com/Passwords

Word of warning, if you use an ad/content blocker like uBlock Origin, and block 3rd-party JS, then HIBP may give up on its k-anonymity mechanism and just sends your password to their server in cleartext.

Ensure you specifically permit loading jQuery from cloudflare.com, and check network traffic using a test password first.

I'm still impressed by the number of technical people that are willing to give you their passwords by a way or another, a common way being when they are offered to check if his password has been leaked.

Once a friend shared with me one of those services, he got surprised when I raised my concern about compromising his password, he took a second to check the developer tools to see if there was any request including his password, there wasn't, so he called me crazy (it's well known that malicious sites behave differently on certain conditions, one is having the developer tools opened).

Anyway, I suppose that this blind trust is what makes phishing attacks so effective.

> it's well known that malicious sites behave differently on certain conditions, one is having the developer tools opened

I had always wondered if they do, and I've known it's possible, but this is the first time I've heard any accounts of it. Would you have more info on this?

As someone who has worked on scraping sites that really didn't want to be scraped, there is all kinds of interference with dev tools in the wild.

There are many ways to detect it's open (eg. https://github.com/sindresorhus/devtools-detect) and it's also possible to mess with it without knowing it's open. A method that's wildly used is firing the debugger break command many times a second, along with other stuff that makes using the tools nearly impossible (slows the browser down to a halt)