Changing 40+ Passwords: Thanks Heartbleed

Following the Heartbleed revelations, the security advice from the great and good was to change all passwords. To support World Password Day, I changed over 40 other them – quite an interesting exercise. Alarmingly, it appears I am still vulnerable.

To tell the story of why I am still vulnerable, this blog is split into three parts:

  1. How I changed 40+ passwords – each unique, the short-cut I found, and a suggestion for the future to make it easier next time.
  2. A set of annoying things I found doing it, and finally…
  3. The alarming finding next time I logged on…

In the first part of this blog series, I look at the process of changing and remembering 40+ passwords.

I expected it to take time, I expected it to be annoying, I did not anticipate it being quite as hard as it was.

How can I remember 40+ new unique passwords?

Solution: I didn’t try.

Following advice from various web sites I took the opportunity to implement a password manager (I won’t say which one; I already give hackers far too much detail about me in this blog series).

In most cases, I chose to use a randomly generated password. The exception is when I use the site regularly from an iPad app, so really needed to be able to remember and type the password. This is a relatively small subset of sites.

For these sites I used a password pattern with something to remind me about the site embedded in the pattern. For example, LinkedIn is by business social media tool, so the characters b, s and m are embedded into a common password somewhere. Not fool-proof as by knowing one password you can start to guess the others, but sufficient to prevent automated attacks.

In addition, where possible I implemented two-factor authentication or two-step verification. 10 sites in total. So, even if you guess my password pattern, and figure out my reminder code, you still need the second factor.

Finally, as I am now using a password manager, I also took the opportunity to remove any stored passwords in the browser, and configure the browser to stop remembering them in future – one less vulnerability.

Changing Process.

The process would seem simple.

  • Logon to a site
  • Locate the change password screen
  • Store the new password in the password manager
  • Job done.

Remembering the logon to the site was not easy. Different user names, unique passwords – an issue I discussed in the blog “Logging on is becoming too hard to do securely“.

Having logged on, finding the password change screen was more challenging than I anticipated, almost as if the web site designer thought this was not an important function and it should be hidden away. I found a quick solution. Don’t try to logon. Don’t try to locate the hidden-away screen. From the logon page simply hit the “Forgotten Password” button. Enter your email address and off you go. THIS WAS A HUGE TIME SAVER.

A few sites were annoying (and more secure?) – they wanted extra details before sending me a reset, link account number or postcode. Not sure what to think about that – but it does bring home how critical access to your primary email account is. Get that, and the attacker can reset all my passwords.

Summary advice.

From experience I can recommend

  1. Implement a password manager
  2. Use generated, random, passwords – unique to each site
  3. Use the password reset mechanism, don’t try to log on – takes too long.
  4. Take extra security measures to protect the email your password reset emails are sent to.

Recommendation for the future.

Wouldn’t it be great if next time I needed to change all my passwords, I could go to the Password Manager and just click a button to do it for every site. Sadly, I suspect this is quite a way off – as far as I am aware there are no standard APIs for this. Do any of my readers know different? If so, please advise in the comments field below.

In the next part of this blog series, I recount a few of the annoyances uncovered making the changes.