Comments on: Why I just spent three days changing my passwords on over 300 Web sites

By: Amos Shapir

Amos Shapir — Mon, 12 Oct 2009 15:48:46 +0000

I don’t think it’s wise to use an automatic passwords generator which relies on a site’s URL. My home ISP had changed its name, and its URL with it, no less than 5 times in the past 10 years; each time its mail server would automatically redirect to the new site. Consequently, an automatic password generator might be seeing a different site name when accessing such a site, than the one it had used when creating the password initially.

By: Robert (Jamie) Munro

Robert (Jamie) Munro — Mon, 12 Oct 2009 11:12:38 +0000

There is a fourth category of password manager application – that doesn’t store any passwords whatsoever. It generates them on the fly with a hash of the URL of the site you are looking at and a master password.

For example, http://passwordmaker.org/

Of course, the problem with this is that if you reveal your master password, you still need to change all the passwords on all the sites, but it is a lot less likely that you will do so, because you never send that password to any sites.

Another problem is that some sites require, for example, at least one number in the password, and others break if you have a number. So sometimes you have to set options in the password generator to change the password it generates, and you may have difficulty remembering the specific options you chose.

By: Tony Toews

Tony Toews — Sat, 10 Oct 2009 18:50:00 +0000

I’ve always had different passwords to different sites but I was storing the passwords in a security by obscurity method which was quite insecure otherwise. I switched to KeePass which is also an open source tool hosted on SourceForge.

I once got a panicked phone call from a friend. Their father had just unexpectedly died and they had no idea what his Quicken password was so they could take care of financial business of his estate.

The first password on the list isn’t a password. It’s several paragraphs of text mentioning my Windows password, my backup paasword, where my backups are stored and most importantly the master password to the KeePass file. This has been printed and placed in a sealed envelope and given to a few close family members.

KeePass then generates random passwords. One problem though is that some sites don’t allow you to use the full 20 characters. You have to watch for that as otherwise weird things can happen.

WIndows and KeePass allow for pass phrases. Which I use. These phrase are five or eight words long with a numeric or special character twist in there somewhere.

KeePass then allows you the ability to visit websites, press a hot key sequence and have the userid and password inserted into the fields. Which is a very nice timesaver.

Trouble is of course, I’m now chained to my laptop. Oh well, it’s always nearby.

By: Eric

Eric — Sat, 10 Oct 2009 12:31:24 +0000

When to reuse a password should be a decision based upon evaluating whether the convenience is worth the risk. Frequently there are only a few web sites where something bad is likely to happen if somebody else got both your username and your password – usually an email account, social networking web site or a web site where somebody could somehow spend or steal your money.

Do you really care that somebody can read articles on the NYTimes web site using your identity?

By: WordPress inadvertent disclosure bug « Something better to do

WordPress inadvertent disclosure bug « Something better to do — Tue, 06 Oct 2009 13:43:00 +0000

[...] I previously wrote, I recently had to change my password on over 300 Web sites because my default [...]

By: Password security hall of shame « Something better to do

Password security hall of shame « Something better to do — Tue, 29 Sep 2009 20:38:34 +0000

[...] I wrote earlier today, I just changed my password on over 300 Web sites. In the process, I encountered a large number of [...]

By: jik

jik — Tue, 29 Sep 2009 19:01:54 +0000

Is this related to the email I sent you the other day?

Yes.

I’m giving the maintainers of the software a change to respond to my security incident report before I post more about it publicly.

By: abbasegal

abbasegal — Tue, 29 Sep 2009 18:51:23 +0000

Is this related to the email I sent you the other day? Anyway, I like PasswordSafe which was plugged (and I think originally designed by) Bruce Schneier, but is now an open-source sourceforge project (http://passwordsafe.sourceforge.net/). Bruce recommends letting Password safe generate random passwords for everything, and then using it for everything. I don't do that across the board, since it means I can't log in to sites from a computer that it not my main computer, but that would be the most secure method (corresponding to your "untrusted" method).