Following the Heartbleed revelations, the security advice from the great and good was to change all passwords. To support World Password Day, I changed over 40 other them – quite an interesting exercise. Alarmingly, it appears I am still vulnerable.
To tell the story of why I am still vulnerable, this blog is split into three parts:
- How I changed 40+ passwords – each unique, the short-cut I found, and a suggestion for the future to make it easier next time.
- A set of annoying things I found doing it, and finally…
- The alarming finding next time I logged on…
In the first part of this blog series, I look at the process of changing and remembering 40+ passwords.
I expected it to take time, I expected it to be annoying, I did not anticipate it being quite as hard as it was.
How can I remember 40+ new unique passwords?
Solution: I didn’t try.
Following advice from various web sites I took the opportunity to implement a password manager (I won’t say which one; I already give hackers far too much detail about me in this blog series).
In most cases, I chose to use a randomly generated password. The exception is when I use the site regularly from an iPad app, so really needed to be able to remember and type the password. This is a relatively small subset of sites.
For these sites I used a password pattern with something to remind me about the site embedded in the pattern. For example, LinkedIn is by business social media tool, so the characters b, s and m are embedded into a common password somewhere. Not fool-proof as by knowing one password you can start to guess the others, but sufficient to prevent automated attacks.
In addition, where possible I implemented two-factor authentication or two-step verification. 10 sites in total. So, even if you guess my password pattern, and figure out my reminder code, you still need the second factor.
Finally, as I am now using a password manager, I also took the opportunity to remove any stored passwords in the browser, and configure the browser to stop remembering them in future – one less vulnerability.
The process would seem simple.
- Logon to a site
- Locate the change password screen
- Store the new password in the password manager
- Job done.
Remembering the logon to the site was not easy. Different user names, unique passwords – an issue I discussed in the blog “Logging on is becoming too hard to do securely“.
Having logged on, finding the password change screen was more challenging than I anticipated, almost as if the web site designer thought this was not an important function and it should be hidden away. I found a quick solution. Don’t try to logon. Don’t try to locate the hidden-away screen. From the logon page simply hit the “Forgotten Password” button. Enter your email address and off you go. THIS WAS A HUGE TIME SAVER.
A few sites were annoying (and more secure?) – they wanted extra details before sending me a reset, link account number or postcode. Not sure what to think about that – but it does bring home how critical access to your primary email account is. Get that, and the attacker can reset all my passwords.
From experience I can recommend
- Implement a password manager
- Use generated, random, passwords – unique to each site
- Use the password reset mechanism, don’t try to log on – takes too long.
- Take extra security measures to protect the email your password reset emails are sent to.
Recommendation for the future.
Wouldn’t it be great if next time I needed to change all my passwords, I could go to the Password Manager and just click a button to do it for every site. Sadly, I suspect this is quite a way off – as far as I am aware there are no standard APIs for this. Do any of my readers know different? If so, please advise in the comments field below.