In a previous blog series, I described my fun, games and gripes at changing 40+ passwords. Soon after the blog was posted, it struck me – there are yet more to change…
As described, I used two factor authentication where it was available. But some applications are not designed to work with two factor authentication; they do not have a mechanism to ask for a secondary password. This is common issue in iPad apps, but also affects applications like Microsoft Outlook on Windows.
Most two factor authentication systems provide a mechanism to manage this – application specific, or single use passwords.
Where the password is single-use (for example Twitter), I’ve made the assumption that they did not need changing. (I’d welcome comment form any reader that thinks this is an invalid assumption).
Where the password is application specific, but re-usable, I set about changing them too.
- Google – Not sure totally necessary as Google helpfully tells me when they were last used.
- WordPress
- Microsoft Office 365
No real issue in doing so. Simply logon to the relevant web site, find the app password screen (usually well hidden), delete them, and re-generate. Then use the new password in the relevant app.
All in all, no real drama – the point being, that following the advice “change all your passwords” is not at all easy, and as pointed out here, there are some very important ones that you may easily forget about.
Geez, those are a lot of passwords to change, i wish you luck with that.
You should really use a secure tool to keep track of them, like WISeID, best its free 🙂
Cheers
Kevin
— Secure Your Passwords & Personal Life —
http://www.wiseid.com
LikeLike
In the interests of balance, there are others password managers too…
http://www.darkreading.com/risk-management/10-top-password-managers/d/d-id/1109759?
LikeLike
There’s been some interesting revelations recently, involving security issues in password managers; there’s a useful summary and link to the original paper at http://arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse/ . In addition to the Dark Reading pointer above, any thoughts on this?
LikeLike
Storing passwords and form filling them through a browser extension is inherently dangerous, especially since they are usually JavaScript based. I don’t think there is any completely safe way to do that. Best is to keep full control of your encrypted DB of passwords, and don’t allow it to be queried over a network. You can store an encrypted blob of the entire DB somewhere else to be safe, without any plain text information (website URL, your name, usernames, etc) being exposed.
It’s certainly not as convenient without automatic web filling, but it’s more secure.
LikeLike