This security guru is banishing spammers to a hilarious ‘password purgatory’

Whether it’s John Wick or The Count of Monte Cristo, we all love a good revenge story. Right now, my current favorite is a wholesome nerdy tale told by Troy Hunt.

You likely already know Hunt as the force behind Have I Been Pwned, an invaluable security resource for us normies on the internet. The website tells you if your email address or phone number has been found in data breaches, and if you’re so inclined, lets you register for notifications should your info become exposed later on.

But he also documents his various side projects. His latest: Dishing a little return pain to spammers for stealing time from him. The punishment involves sending them to what he calls “password purgatory.”

Using a concoction that blends Microsoft Power Automate and CloudFlare tools, Hunt lures spammers into thinking they’ve found an easy mark. All they have to do is go to a simple registration form on his website, create a username and password, and then profit off the sweet, easy website links. Except…he’s just toying with them.

The goal? To see how long those who take the bait endure the increasingly hilarious password requirements. He’s also being kind enough to share the results with the rest of us for our amusement. I like to think of these as a software engineer’s version of those glitter bomb videos on YouTube—the ones where porch pirates are subjected to a shocking, unexpected explosion of glitter after stealing the package.

It’s satisfying. And entertaining.

You can check out the full details of how Hunt spun together this wonderfully evil form of purgatory in his blog post—which includes a link to a Github repository with all the code he used. If you’re so inclined, you too can put spammers through the ringer.