How to recognise a genuine password request