Looking at the code, I see that you use Javascript to fake that effect, turning off the display of some items and turning on the display of the password. It’s all down within the same page, and there’s no server access. Cool!

This is a perfect example of Phase A then. Thank you.

You also have neatly moved your key Javascript into a separate file (n.js), which would be perfect for swapping with nastiness occasionally when (errr… I mean if) you turn from good to evil, and implement Phase B.

…
function doIdiot(){
…
return false ; }

The submit eventually returns false so nothing is submitted to me.

I forgot to say that you should try with a made up account – anything works.

Cool. Your site is much like Phase A, except there is no evidence that you aren’t collecting names and passwords for your own devious Phase B reasons. You even know the application that the passwords are for, so it would be easy to use them.

[To be clear, I am not accusing you of actually collecting passwords; I am just saying that from a security professional's perspective, you would have to assume that any password entered on a site similar to yours to be compromised.]

My original plan for Phase A was to be able to clearly demonstrate, with hind-sight, that the Mock Phish site was not really harvesting the passwords. My realisation was that it would be very hard to prove that satisfactorily; it is too easy to come up with complicated skull-duggery.