Sunday, 2 February 2014

Are You On The Right Domain? - Knowing When It's Safe To Type Your Password

You should only ever type your username and password in when you're on the domain which the account belongs to.  I.e. your Facebook password should only ever be typed when the domain name of the page you're on belongs to  You probably already knew that, but how good are you at telling when you're on that domain and when you're not?  You can take the test below to find out.

Hopefully, given that you probably use passwords on the internet, you already know how to work out what the domain is.  But for a lot of us (myself included), this wasn't part of the curriculum at school, so if you're unsure then here are the instructions.  You might want to skip straight to the test and just come back to this afterwards if you don't score 100%.

1. After the initial http://, find the first slash and discard everything after it.
2. Find the last dot before the .com (or, .net, or whatever the ending is) and discard everything before it.
3. What's left is the domain.

The Test... Type Away, Or Run Away?

For this test we'll pretend that you've got an account on the site  For each of these URLs you must decide whether or not you are on the domain   Do you merrily type away and enter your password, or run away?


And here are the answers:
  1. Yep, that's a subdomain of www on the domain  Type away.
  2. Again that's fine.  This is the "naked" domain without the www subdomain.  Type away.
  3. Yep, that's a subdomain www2, still on  Type away.
  4. Nope, that's, not to be confused with  Run away.
  5. Yep, that's a subdomain of http-www on  An odd URL, but it still belongs to
  6. Nope, that domain is, with a subdomain of www.wobble.  Run away.
  7. Nope, that domain is, with a subdomain of  Weird.  Run away.
  8. Nope, that domain is with a subdomain of http-www.wobble.  And is not necessarily anything to do with  Run away.  More about strange top-level domains below.
  9. Yep, that's, with a 2-level subdomain of  Add odd choice for a subdomain, so I would definitely raise an eyebrow, but technically it does belong to
  10. Nope, that's a domain of login.html, with a 3-level subdomain of  Again more about odd top-level domains below.
  11. Yep, that's fine.  You can ignore everything after the /, so the www.login.php is part of the URL path, not part of the domain.
  12. Nope, that's, very different to  Note the difference between the digit 1 and the letter l.  Be careful.  I admit that I've deliberately put the URLs in a font which makes these 2 characters hard to distinguish, but I wanted to ram home the point that you should read what's in your browser's address bar very carefully.
  13. Nope, that's  Not necessarily anything to do with

So how did you do?  Well actually, the test was a trick.  The answer is that you shouldn't have typed your password in on any of those URLs, because none of them have https:// at the beginning, meaning that your connection to the server is not secure and the password you type could be read by eavesdroppers when you submit the form.  In fact, without https you don't actually know that you're looking at the right domain, as someone could be intercepting the traffic and serving you totally different pages to the real ones.

The Bottom Line

  • The right domain.
  • HTTPS.

If in doubt then open a new tab and type the address yourself.


A domain name consists of a global top-level domain (gTLD) and then one or more child subdomains with the dot character (period/full stop) being what separates each subdomain.  The gTLD is the end part of the domain, most commonly .com, .net, .biz or .org.  Each country also has its own gTLD, e.g. .fr, .de, or .uk.  In some countries, such as the UK, this domain is itself divided into a few subdomains such as,, and  Domains under or are then available for sale to the public, whereas and are reserved for the government and educational establishments respectively.

When a member of the public buys a or domain name they buy the level underneath, e.g.,  They then control this domain, which means that if they want to add further subdomains they can, so they could add, or even several levels of subdomain like  All of these subdomains are controlled by the owner of, so you know that any domain under is in their control.

In general, if you trust a domain, then you are safe to trust any subdomains underneath it.  For example, if you have an account with, then it's safe to type your password on

In some situations the owner of a domain will give control of subdomains to its users, a good example of which is this blog.  I don't own, but when I created my blog on Blogger I was given the ability to create pages on  In most of these situations though, you will find that there is never a log in page on the parent domain.  E.g. there is no log in page on; when you log into Blogger you log in on  For this reason it's worth being aware of the domain which you create your account on, and making sure that you only ever type your password in on that domain in the future.

New Global Top-Level Domains

Until recently there was a fairly limited set of global top-level domains, which consisted mostly of .com, .org, .net, .biz, one for each country, and a few others.  But this list is now being expanded, with private individuals being allowed to purchase their own global top level domain, such as .pepsi.  So instead of, they can now have www.pepsi.

This is why I included a couple of strange-looking gTLDs in my list of domains.  Just to make you aware of the fact that domain names won't necessarily end in familiar-looking .com or .org anymore.

Why WWW?

Traditionally, most websites serve their web traffic on a subdomain of www..  Bear in mind that most web servers will also be dealing with email traffic and potentially other things, so people like you visiting with your web browser are just part of what the site is handling.  For this reason it's customary to serve "normal" web traffic on www., and to deal with other things on other subdomains such as mail. or ftp..  Some sites, such as Twitter, serve their web traffic on the naked domain of and don't use a www subdomain.  There's nothing special about www though, zzz would work just as well.

More fun and games soon...

1 comment:

  1. This comment has been removed by a blog administrator.