Emboldened by that, I decided to take a stab at fixing two bugs in the core Thunderbird code that have been driving me crazy. That, too, required a steep learning curve, but in the end, I was able to submit fixes for two bugs, one quite old and one new in Thunderbird 3.1, affecting a whole bunch of people:

• It was impossible to remove attachments from some MIME messages, including MIME messages generated by the Mac Mail client (Mozilla bug #351224). This bug has been reported by at least 30 different people and was first reported almost four years ago. Fixing it required rewriting pretty much an entire module within C++ source code for Thunderbird.
• Thunderbird was incorrectly inserting a couple extra spaces at the beginning of some sent email messages (Mozilla bug #564737). This bug was first reported just a few months ago and has already been reported by at least 56 different people. This bug is in the core code that is shared between all Mozilla applications, which means that the fix will impact Firefox, Seamonkey, etc. as well as Thunderbird.

Needless to say, there are other things I should have been working on when I got distracted by fixing these bugs. But I’d almost forgotten how rewarding it is to be able to contribute to open-source software in ways that benefit a lot of people.

Bye-bye, SUM Network

Citizens has withdrawn from the SUM ATM Network, effective January 1, 2010.  According to the scuttlebutt on-line, the only reason they joined SUM in the first place was because they were required to do so as condition of acquiring another bank.  Apparently that requirement was time-limited and has expired.  They’ve decided that the smaller banks were benefiting from access to Citizens ATMs a lot more than Citizens was benefiting from access to theirs, so customer convenience be damned, SUM had to go.  Not to mention that now Citizens can make money charging ATM fees to customers of those other banks.

Which brings us to our next item…

Inadequate notification of the SUM Network change

In the good old days of paper, when a bank had something important to notify their customers about, they either enclosed the notice on a separate piece of paper with monthly statements or sent a completely separate mailing.

So, what’s the equivalent in the age of paperless statements and as few postal mailings as possible to save money and protect the environment?  Well, they could:

• send customers an email message notifying them about the change (they already have the email address of everyone subscribed to paperless statements, and they already use these email addresses for marketing and important customer communication); or
• put the notification at the front of customers’ paperless statements, so when they open the PDF it’s the first thing they see (in fact, they did exactly this in this month’s statements with a fluff notice about “great eco-friendly prizes” that paperless statement users are eligible to win).

Citizens didn’t use either of these to notify people about their withdrawal from the SUM Network.  Instead, they buried the notice in the fine print at the end of people’s last 2009 statements, after all of the transaction data (i.e., where people stop reading once they have balanced their checkbook for the month), at the end of a long bullet point which started out, “This is a reminder of how you can use your debit card or ATM card,” amidst the marketing drivel which normally appears in this section of the statement which is why nobody ever reads it.

Which brings us to…

Pissing off a profitable customer over a $2 fee

A few weeks ago, I got nailed with a $2 ATM fee at a SUM ATM.  I had no idea that Citizens had withdrawn from SUM (see above), so I assumed that the fee notice was an error and figured I’d straighten it out later with Citizens since I didn’t have time to find another ATM to use.

When I got home, I looked into the matter and discovered that Citizens was no longer in SUM.  I sent Citizens a message through their online banking Web site complaining that their notification of the change was inadequate and asking them to therefore refund the $2 fee.

They sent me back a form letter notifying me that Citizens was no longer a member of the SUM Network.  Well yeah, duh, I knew that already.

I sent them back an impatient response, reiterating my complaint over inadequate notification, demanding again that they reimburse me, and ending with, “Your bank makes thousands of dollars from the interest I pay on my home equity line.  It would be foolish for you to further antagonize me over a $2 fee.”

They sent back a response again refusing to refund the fee, since it was charged by the other bank and the ATM had warned me about it.  Well, yeah, duh, I had already told them that the fee was charged by the other bank and the ATM had warned me about it.

I responded, “Your reply is callous, stupid, inadequate, and unacceptable.  Please give me the fax number of your executive complaints office so that I may let them know just how I feel about the way you have handled my complaint.”

They responded:

Thank you for your recent inquiry regarding the charge to your account. Citizens Bank is aware that situations may occur that are beyond your control. In such cases, we are able to issue a one time credit to your account. I have initiated a $2.00 rebate to your account.

They did not provide me with the contact information I requested for their complaints office.  I wrote back to them, thanked them for the credit, and again asked how I could contact their complaints office.

I got a voicemail message a few days later from a supervisor at Citizens.  I haven’t spoken to him yet.  I’m planning on getting his fax number or email address and sending him a copy of this blog posting.

Here’s a clue, Citizens Bank: it’s stupid to nickel-and-dime a customer from whom you’re making thousands of dollars per year.  When such a customer fields aggrieved over a measly $2 fee, and his complaint is even just a little bit legitimate, you refund the fee.  It shows that you care.  Conversely, arguing with the customer shows that you don’t care.

Web site silently enforces message length limits and erases customer messages

While I was going back and forth with Citizens on their Web site about the issue described above, I ran into an incredibly stupid functionality issue on their Web site combined with an incredibly annoying data-loss bug.

The “message center” on the Citizens Web site has a message length limit.  The limit is completely undocumented, i.e., when you’re composing a message, the site doesn’t tell you how long it’s allowed to be, which is the minimum acceptable behavior if you’re going to impose such a limit (the limit is also unreasonably low, but that’s a different story).  Far superior to that would be what so many other Web sites have figured out how to do: a character counter which goes down as you type and prevents you from putting more text than you’re allowed to into your message.

When you exceed the limit and try to submit your message, you get an error message saying that your message is too long and you should hit the Back button and try again.

When you hit the Back button, your message is gone.  You’ve just spent a significant amount of time composing a message (obviously, since it’s long enough to run afoul of the length limit), and the Web site just throws it away, and you’ve got to write the whole thing over again, all the while trying to guess what the limit is that you’re not allowed to exceed, because the site doesn’t tell you (even the error message doesn’t actually say what the length is; it just says that you’ve exceeded it).

Customer service staff has no clue about how to deal with Web site feedback

I sent a message to Citizens through their message center outlining the problems above.  In return, I expected an acknowledgment that the issues I described were real and an indication that my feedback had been passed on to the people who maintain the Web site.  Instead, I got back a form letter: “Please keep in mind, the length of emails is limited.”  Well, yeah, duh, isn’t that what I was complaining about?

I wrote back and told them, again, to please give me the contact information of someone to whom I could complain about their poor customer service.  This was all going on at the same time as the other issue outlined above, so I think the supervisor who called me was calling about both issues.

The great thing about paper statements is that they don’t experience technical difficulties

I’m all for the idea of saving money and protecting the environment by reducing paper mailings.  If I weren’t, I wouldn’t have invested many hours of my time in eliminating junk mail from my mailbox.  So when Citizens finally offered me the chance to switch to paperless statements for my home equity line, I took them up on it.

But here’s the thing, Citizens… When you ask your customers to switch from mailings to paperless statements, you are making a commitment to them: the statements will be available on-line when they are needed.

I’m a busy man.  I handle my financial affairs, things like reconciling my monthly bank statements, in dribs and drabs whenever I can find a few minutes to spare.  When I find those minutes, the “paper”work needs to be at my fingertips.

But it’s not.  For several days now, my home equity line statements have been inaccessible through the Web site.  This is not the first time this has happened.  I called Citizens today to ask what was going on and was told that the issue is impacting everyone; they are working on resolving it; and they could not give me an ETA for when it will be resolved.

Note: the minimum monthly payment on a Citizens home equity line is the amount of interest accrued in the past month.  Interest accrual doesn’t show up explicitly in the transaction history on the Web site (yet another stupid bug with the site).  This means that when on-line statements are unavailable, many customers have no way of knowing how much they’re required to pay that month.  Awesome!

I’ve managed high-availability OLTP Web sites.  It is not hard for such a site to serve up a bunch of PDFs; in fact, it should be trivial, since they are static documents, not database-backed queries or transactions.  It is mind-boggling that this keeps happening, mind-boggling that it takes days to resolve each time it does, and mind-boggling that whatever the problem is, Citizens didn’t just fix it properly the first time rather than letting it happen over and over.

There were no instructions in the e-newsletter for how to unsubscribe, so I went to their Web site. It told me that I had to sign into my Portal account; the only problem is that I’ve never had a Portal account, and I subscribed to the SANS e-newsletters long before such a thing existed.  I figured that perhaps they auto-created an account for me at some point, so I gave the site my email address and told it that I’d forgotten my password.  It claimed to have mailed password reset instructions to me and told me that I had to follow them within two hours, but over ten minutes later, they still hadn’t arrived.

Thinking that perhaps I could register my email address for a Portal account and would then “inherit” any legacy subscriptions under that email address, I tried registering.  It rejected my registration form, telling me that I needed to enter a valid email address.   I couldn’t tell whether it was rejecting the form because the email I entered was already in its database, or because it incorrectly believed that “jik@kamens.brookline.ma.us” was not a valid address (a lot of Web sites can’t seem to handle the idea that “kamens.brookline.ma.us” is a valid email domain).

At this point, I threw up my hands and sent them email describing everything that had happened and asking what the heck I should do.  I ended my email with, “The fact that you guys are supposedly experts at secure Web site design make this rather ironic.”

The password reset email finally arrived after having been held up on the SANS mail server for an hour and a half.  I wasn’t on-line when it arrived, and by the time I saw it, the two-hour window had elapsed and I couldn’t use it to reset my password.  I also received another delayed email message informing me that I had tried to register a new account using an email address that was already registered, thus answering the question of what the Web site had meant when it rejected my email address as invalid, but not explaining why it couldn’t have just displayed this message in my browser rather than sending me an email message about it.

I tried the password reset thing again, and this time the email arrived immediately, so I was able to log into the Portal account they had created for me and unsubscribe from the e-newsletter.

A day later, they responded to my email: “I apologize for the inconvenience.  Upon reviewing your account it appears that you are no longer subscribed to @RISK.  You are sill [sic], however, subscribed to Newsbites.”

Gee, thanks for telling me what I already know.  How about telling me something useful, like why my password reset email was delayed for an hour and a half on your mail server or why you send people email rather than displaying an error in their browsers when they try to register an email address that’s already registered?

The Commonwealth of Massachusetts has a convoluted(*) unemployment insurance system, under which employers are required to make various quarterly and annual filings and quarterly payments involving at least two different state agencies.

This system is administered by the Department of Unemployment Assistance (DUA), who decided to replace their old, paper-based system with a Web-based system called QUEST (“Quality Unemployment System Transformation”). The DUA promised QUEST would bring countless improvements: one-stop shopping, filings for all agencies in one place, faster filings, less wasted paper, reduced printing and postage costs, reduced data entry costs, no more data transcription errors, etc., etc. You’ve no doubt heard it all before.

QUEST went live at the beginning of 2010. As of the go-live date, the usage of QUEST for all employer unemployment insurance transactions was mandatory; paper filings were no longer permitted. I.e., the DUA went straight from paper filings only to on-line filings only, with no transition period or overlap.(**)

It would be an understatement to say that the QUEST go-live is not going well; in fact, it is a disaster. Some examples of the issues I’ve experienced trying to use the new system today to do my filing for the last quarter of 2009:

• I received an email message informing me that there was correspondence in my QUEST inbox, and I should log into QUEST to read it. When I log into QUEST and click on the link for the correspondence in question, I get a .NET error page.
• When I attempted to enter my quarterly filing numbers, I was asked to fill in the fields “UI gross wages”, “UI taxable wages”, and “UHI taxable wages”, with no explanation on the form or anywhere else on the site of what these terms mean or how to determine the correct amounts. A DUA employee with whom I spoke today informed me that those words were supposed to be links that I could click on for definitions, but for some reason the links were missing from the page.
• The two DUA employees with whom I spoke today both said that the new system is having innumerable problems across the board.
• The first phone number I called today in an attempt to get help with QUEST was so swamped that I was not even given the option of waiting on hold — a recording told me they were too busy to help me and I should call back later, and then I was disconnected.
• A little while ago I tried to click on the QUEST login link on the DUA Web page and instead reached a DUA Web site error page indicating that the page I was trying to access had moved or was temporarily unavailable, or some such thing.
• Some time after that, I tried again, and this time I actually got into the QUEST application, at which point I was greeted with a different error: “Error: You have reached the Commonwealth of Massachusetts Department of Unemployment Assistance. The Quest Unemployment System is temporarily unavailable due to scheduled maintenance in order to better serve you. Please try your request again later. We appreciate your understanding.” Given everything else that’s going on, it seems highly unlikely to me that it is any way accurate to claim that this outage was “scheduled”.
• Earlier today, a new message showed up on the DUA Web site:
  Additional Time for 4th Quarter Filing and Account Activation
  >Two-week grace period for filing 4th Quarter Employment and Wage Detail Report. New deadline: February 16, 2010. Penalties apply after deadline. More.>Although the January 8th deadline has passed, you can still activate your account without a late penalty. Please activate your account as soon as possible to avoid the expected high volume of calls and web traffic near the filing deadline.

As is typical in government bureaucracies facing epic disasters, there has been no public disclosure of the fact that there is a problem, or of what is being done to fix it, or of the ETA for when it will be fixed. It remains to be seen whether anything will be disclosed later, or whether any heads will roll at the DUA in recognition of this monumental cock-up.

(*)Perhaps the system does not seem so convoluted to businesses, but it does to me, a “household employer” who is required to participate in it only because I’ve made the seemingly naive decision of attempting to abide by the law while employing a babysitter for six hours per week.

(**)At least, requiring QUEST filing as of 1/1/2010 seems to have been their original plan. However, a letter sent to employers January 14 encourages the use QUEST for filing 4Q2009 reports, which would seem to imply that not using QUEST is in fact an option. If so, it’s a difficult option to exercise, since all instructions and forms for filing on paper appear to have been removed from Web site, or at least cunningly hidden.

The email message contained no instructions for opting out of future commercial email messages.  This is a clear and direct violation of the Federal CAN-SPAM act (see requirement 5 in The FTC’s CAN-SPAM Act Compliance Guide for Business).

Here’s what the privacy policy on their Web site says:

Can I “Opt-Out” of Receiving Promotional E-mails?

From time to time, we may send you e-mails with promotional offers if you opt-in to receiving such emails. If you would no longer like to receive e-mailed special event information, sales notifications or other promotional messages from this web site, you can unsubscribe from this site’s e-mail marketing list by following the unsubscribe link located at the bottom of each promotional e-mail. Your e-mail address will be removed from this site’s email marketing list within 10 days.

Therefore, in addition to violating the CAN-SPAM Act, they also violated their own published privacy policy.

Their Web site claims that registered users can edit settings on the site to tell Sears “whether you wish to receive e-mail about special sales, promotions and other events.”  So I registered on the site, using the same email address they spammed me on.  When I looked at my profile after registering, it said that I’m not subscribed to receive any email from them.  Nice!

There are no instructions in their privacy policy for how to notify them about violations.

I’ve submitted a complaint to the FTC as well as submitted a complaint to Sears through their Web site.  We’ll see what comes of it.

This is one of several reasons why I won’t be letting anyone from Sears into my house to repair my appliances.

As I see it, you have three options for what to do now:

1. You can throw my letter in the trash. Result: I close my Chase account and get a new card from someone else.
2. You can send me a useless, boilerplate response that does not address any of my concerns, and then throw my letter in the trash. Result: I close my Chase account and get a new card from someone else.
3. You can use my letter to help you identify opportunities for improvement within your company and take advantage of those opportunities, and then send me a substantive response describing what you’ve done in real, concrete terms. Result: You restore my confidence and I stay a Chase customer.

So, what’s it going to be? I suggest you take a look at how much money you’ve made from the nearly $100,000 I’ve charged on my card in the past three years before you decide.

Apparently they’ve chosen option 2.  Today, I applied for a new Citizens Bank Platinum MasterCard with 3% cash back on gas purchases and 1% cash back on everything else.  Once my new Citizens card arrives, I will be closing my Chase account.  I’ve also sent hard copies of this blog entry to the woman who wrote to me and to the Vice President to whom she carbon-copied her response.

The following is the text of the letter I received from Chase today, with some commentary:

I am writing in response to your concerns addressed to Jamie Dimon, Chairman and Chief Executive Officer at JPMorgon Chase & Co.  I appreciate the opportunity to assist you on behalf of the Card Services Executive Office. [... an opportunity which she of course squandered.]

Please allow me to stress that we always appreciate receiving feedback from our Cardmembers [it gives us a good laugh!], as it helps us to continually evaluate our service to ensure that we are meeting our Customer’s [sic] needs and expectations [you're not!].  We appreciate the time you have taken to bring your concerns to our attention [time that was obviously wasted].  I have attempted to contact you by telephone to further discuss your concerns, but my attempts have been unsuccessful. [Her "attempts" consisted of one voicemail message informing me that she had received and was researching my letter; I had assumed, apparently incorrectly, that when she was done "researching" she would call again.]

After further review of your concerns, I have found that the responses for the questions indicated in your letter are accurate. [If you've read my letter, you know full well that it's impossible that everything I was told was "accurate."] I regret that we are unable to provide you with additional information regarding our fraud processes, as it is proprietary bank information. [If you've read my letter, you know full well that I didn't ask for any proprietary information about your fraud processes.]

Mr. Kamens I have forwarded your concerns to the appropriate area [the trash can!] for review regarding the lack of information available to our customers on how to enroll or unenroll in services online.  If you have any additional questions, please contacat me at 1-888-…-…., extension …. or …..  My hours are Monday through Friday from 7:30 a.m. to 4:00 p.m. Central Time.

Unfortunately, two or three months after I started reading them, the quality seemed to start going down.  There were a lot more stories that seemed frivolous or where it seemed like a big deal was being made out of something that wasn’t.  Furthermore, there were several instances where I sent them tips about stories which were far more relevant than some of the trivialities they were running, and they chose not to run them.

Then they started ending most postings with questions to spur discussion, a transparent tactic for increasing page hits on the site.  That’s all well and good, but when combined with the fact that they also started regularly running promotional blurbs for content published by Consumer Reports, which recently purchased them, it became clear what’s going on.

All of this came to a head for me when they ran an item entitled “AT&T Rep Wants To Die“, which purported to be a transcript of a chat between a customer and AT&T in which the customer at one point commented sardonically, “i’ll just hang myself,” to which the CSR allegedly responded, “Right behind you”.  The Consumerist thought this was funny and posted it with the comment, “Morale is low abord the Deathstar.”

This would, perhaps, have been just a bit of harmless fun if it hadn’t turned out that the customer who forwarded the conversation to The Consumerist actually doctored it.  They ran a correction from an AT&T representative in an article entitled “AT&T Says Their Rep Doesn’t Want To Die“, at the bottom of which they said (emphasis added):

PR guy misses the point. The chat transcript was funny. It doesn’t matter if it was “true,” it spoke the truth.

Um, sorry, Consumerist, but it does “matter if it was true.”  With that comment, my subscription to The Consumerist is at an end.  Thanks, guys, for giving me back a little free time in my life.

In a nutshell, sometimes when you paste text into the editor, the editor inserts an invisible copy of the pasted text.  You won’t see the invisible text at all in the editor; it’s visible in the HTML view, but WordPress users often post without every looking at the HTML view (that is, after all, the whole point of the editor).  Even if you do look at the HTML, you probably won’t notice the hidden text block unless you know to look for it, which most people obviously don’t.  It is not clear whether this invisible copy is inserted in addition to a visible copy of the same text, or whether it’s inserted instead of the visible copy you intended.

Although the text is not visible in the editor, it is in the HTML, which means that when you publish your blog entry, the hidden text goes along with it.  Search engines will happily index it and even show you snippets from it in search results if you search for a keyword that’s found in the hidden text.  Furthermore, syndicators of your blog that strip out HTML style attributes (including, e.g., the feed syndicator at LiveJournal.com) will render the previously invisible text for the world to see.

I was posting a blog entry about some idiots emailing me a Web site username and password, and I cut and pasted their email into my blog posting and then edited it to remove the username and password before publication.  Although I edited the visible text successfully, the unedited, invisible text remained and was picked up by the search engines and LiveJournal.  Voilà!  Time to change a bunch of passwords. *sigh*

This is not a terribly serious security hole, as these things go, but it is real and needs to be addressed.  Unfortunately, the maintainers of WordPress do not seem to be taking it particularly seriously.  I sent this report to security@wordpress.com:

I am running WordPress 2.8.4.

I recently posted a blog entry…

Here is what appeared, without my knowledge at the end of the unfixed version that I first published:

<div id=”_mcePaste” style=”overflow: hidden; position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px;”> … </div>

In other words, for some reason, when I pasted the email message text into the Visual editor, somehow this hidden text block got pasted, in addition to the visible text block that I then edited, and the hidden, unedited text block remained in the blog entry when it was published.

I don’t know how this happened. I don’t recall doing anything unusual that might have caused it when editing the blog entry.

The security issue here should be obvious — it is a big problem that text that someone pastes into a blog entry they are editing can end up being inserted into the published blog entry without their knowledge. In my case, the problem is particularly egregious, since usernames and passwords were involved, but any time text gets published that the author isn’t aware is being published, that’s a problem.

The text was invisible in my blog because of the style attributes, but Google indexed it anyway, which means that it could show up in Google search results if you searched for the right keyword. Not only that, but when the syndicated LiveJournal feed of my blog picked up the blog posting, the style attributes were stripped, and the text became visible on LiveJournal to everyone who reads my blog there.

…

When I Google for “<div id=”_mcePaste” style=”overflow: hidden; position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px;”>”, Google finds 83 matches (if you tell it to display all matches, rather than letting it filter out the ones it thinks are similar), so clearly I’m not the only person who has been bitten by this, although I haven’t looked to see if any of the other inadvertently exposed text is as security-sensitive as it was in my case. Also, if you Google for “_mcepaste hidden”, you will see that others have run into this issue, although it doesn’t look like anyone has realized the security-hole aspect of it.

I hope you will take this issue seriously.

I didn’t hear back from them for two days, so I wrote to them again.  I didn’t hear back from them for another five days after that, so I wrote to them again.  They finally responded, “Switch from the Visual to the H TML tab to see hidden blocks.  Visiaul is a WYSIWYG and seems to be doing exactly as it should… That said, we can look into putting up a little warning message if the content contains hidden text.”

I responded:

I don’t understand what you are saying.

It is not correct behavior for a WYSIWYG editor to paste hidden text into a document and not tell you that it is there.

You could make a case that it is correct behavior if (a) there were some purpose to the hidden text and (b) it happened every time. Neither of these is the case. There is no purpose to the hidden text; when the WYSIWYG editor pastes properly, the text is visible, not hidden. And it only happens rarely, thus making it rather clear that it is a malfunction rather than intended behavior.

Even if the behavior were both intended and functional, neither its existence nor its purpose is documented anywhere, nor is the user informed in any way when invisible text is pasted. Therefore, it would still be a security issue in this case, because it is making data that people publicly visible that people don’t expect to be publicly visible without informing them.

If there is a purpose to the hidden text, then what is it?

I also told them that displaying a warning message would be a good start, but not inserting hidden text into blog postings for no discernable reason would be a better solution.

I’ve heard nothing further back from them.

I am publicizing this issue both to warn other WordPress bloggers about it and to ask publicly for the WordPress development team to acknowledge that this bug is a security hole and commit to fixing it.

I am posting this article to highlight the weaknesses I discovered, to shame these sites, with the hope that doing so might perhaps push some of them just a little bit closer to doing the right thing. I am also posting this article to let people know of sites they should be careful about using.

If you know of other sites which don’t secure their users’ passwords properly, please post about them in comments here and I’ll add them to the article!

And so, without further ado, I give you…

The password security hall of shame

NOTES:

1. When I write that a Web site stores passwords in plaintext, it is possible that in fact passwords are encrypted using symmetric encryption in the site’s database. However, I consider this little better than not encrypting them at all, because (a) such passwords are still vulnerable to being stolen easily by an employee or contractor with legitimate access to the database, and (b) if an attacker is able to steal the database, he will probably also be able to steal or crack the key used to encrypt the passwords. For these reasons, and because it is impossible to distinguish as a user of the site whether the passwords are stored with encryption or in plaintext, I make no such distinctions above.
2. The problems described above for any particular site are not necessarily a complete list of that site’s problems; they represent only the problems I know about.

“Hi, jik!”

If there isn’t a “Password Reusers Anonymous”, there probably should be.

By “password reuse,” I mean using the same password over and over on multiple Web sites.  It’s a really bad idea, and I should know that better than most, since I’ve worked on and off in the field of computer security for over two decades.

But the biggest problem by far, which dwarfs all the problems listed above, is: If your password is somehow compromised, then you need to change it on every Web site on which you’ve used it.

If using the same password on multiple Web sites is such a bad idea, then why do so many people do it?  Simply put, because it’s easier to remember one password than it is to create and remember hundreds of them.  And if you can’t remember them, then you need to write them all down on a list somewhere, and find a way to both keep the list secure and make it accessible whenever and wherever you need it.  There are some available tools to make this easier, but the best ones cost money, and not many people are savvy enough to go looking for tools to handle this sort of thing.

I fell into the password reuse trap years ago, when data breach incidents were few and far between and tools for managing passwords didn’t exist.  Old habits die hard, and I never broke this one.  And so, since last week, when the password I’ve been using as my standard third-party Web site password for well over a decade was compromised (I will post later about how it was compromised), I’ve had to spend every available moment changing my password on over 300 Web sites.  Believe me, it took a while.

In the process, I learned some very scary things about the state of password security on the Web.  Sites that store passwords in plain-text, email them to you upon demand, limit passwords to insecure lengths or severely restrict what characters can appear in them, don’t support changing passwords at all, claim to support it but it doesn’t actually work… I saw it all, and I must say I was surprised.  I’ll be shaming the guilty in a separate blog posting, but in the meantime, I want to offer the following advice to others:

1. If you’re using the same password on multiple Web sites, then stop it right now. Really.
2. One option to consider for limiting the number of passwords you need to remember is OpenID.  However, it isn’t supported everywhere, so you’ll probably have to use a different approach in addition to this one.  Therefore, it might not be worth bothering with it.
3. Another option is to use a tool such as Sxipper or Mitto to manage your passwords.  I’m not endorsing those two particular tools; they’re just two that I know about; you can find many more by Googling for “password manager.”  I write a bit more about password managers below.
4. The solution I ended up settling on was to classify the sites I use into three tiers — trusted, untrusted secure, and untrusted — assign a different type of password to sites in each tier (more on this below), and keep track of all the passwords in a file on my hard disk encrypted with GPG.  This turned out to be somewhat easier than expected because the newest version of GNU Emacs (the text editor I use) knows how to handle “.gpg” files automatically, so it automatically prompts me for my GPG passphrase and decrypts the password file each time I load it into Emacs, and encrypts it automatically when I make changes and save it.  I also use Sxipper with Firefox at home (but not at work) to reduce the frequency with which I have to consult my encrypted password file.

More on password managers

Password managers come in three varieties:

• Local – stores your data locally on a single computer and makes it accessible there only (sometimes for just one type of browser, sometimes for different types)
• Local with export — stores your data locally but allows it to be exported and copied to other computers and sometimes to other types of devices, e.g., SmartPhones.  Might also allow the data to be stored on a thumb drive so that you can take your passwords with you simply by unplugging the thumb drive and plugging it into a different computer.
• Online — stores your data on a central server and makes it available to multiple computers, perhaps multiple types of browser, and perhaps different devices such as SmartPhones as well.
• Algorithmic — generates random passwords on the fly passed on a single “master password” and the URL of the Web site.  See, for example, http://passwordmaker.org/.

The biggest advantage of a local password manager is that you aren’t trusting your data to someone else.  Whether you are willing to trust a third-party on the Internet with all of your account usernames and passwords is something you will need to decide after carefully examining the provider’s security and privacy policies and documentation and then deciding whether you actually believe them.  Anybody can claim that their servers are secure and their data is encrypted, but what if they’re lying?

The biggest advantage of an online password manager is that they (supposedly) back up the data for you, you don’t have to worry about losing it if you lose your computer, and it is extremely easy to use it from multiple computers and perhaps even different kinds of devices.

The biggest advantage of an algorithmic password manager is that there’s no list of passwords to store or copy between computers.  The biggest disadvantage is that it will have trouble at sites with stupid restrictions on passwords, such as the many Web sites I list in my Password Security Hall of Shame.  In my opinion, algorithmic password generators are a clever idea, but one that falls just a little short of good enough in the real world for people who use lots of Web sites. (Thanks to Robert Munro for bringing up this type of password manager.)

If you want to try a password manager, then first decide which type you’re comfortable using, then decide what features you want (Which browsers does it need to work with?  Does it need to support your SmartPhone?  Do you want thumb drive support?  Do you want the data to be encrypted automatically?  Do you want it to require you to enter a master password every time it authenticates you anywhere?  Do you need it to let you export your data and import it elsewhere?  Etc.), then Google for “password managers” and look for one that has the features you want.  You may also wish to search for “password manager comparisons” and take a look at some of the results.

If you do use a password manager, then you need to either (a) keep track of your passwords outside of the password manager as well, e.g., in an encrypted file, and just use the password manager as a convenience tool so you don’t have to constantly look up passwords in the file, or (b) make sure that the data in the password manager is backed up regularly, and that the password manager will let you export all of your passwords in plain-text should you need to do so (e.g., when you decide to stop using the password manager), so you won’t get locked out of all of your sites.

More on picking passwords

As mentioned above, I divide the Web sites I use into three tiers, and I use a different method for choosing the password to assign to sites in each tier.

A trusted site is one which I use very often, which I believe stores passwords correctly (i.e., as cryptographic hashes), and which otherwise seems to have a clue about security.  I decided to us the same password for all of these sites, but at the same time, I keep the number of such sites to a minimum to reduce my exposure and the number of passwords I’ll need to change if the password is compromised.  Thus far, I’ve put only three sites out of more than 300 in this tier, and I maintain two of them .

An untrusted secure site is one that I believe stores passwords correctly, but I’m not absolutely certain and it isn’t worth the effort of finding out.  For these sites, I use an algorithmic password, i.e., I start with the same template password and then modify it based on the domain name of the site.  For example, a simple algorithm (no, it’s not the one I use!) might be to take the first and last letters of the domain name and wrap them around the template, such that the template password “fRoOdLe5″ and the Web site “www.microsoft.com” would yield the password “mfRoOdLe5t”.  Algorithmic passwords make it unnecessary to remember different passwords for every site, and they increase security to some extent, because a hacker using a stolen password list to attempt large-scale break-ins on other sites probably isn’t going to take the time to look at all the passwords and try to figure out people’s algorithms.  However, it doesn’t protect you very well from targeted attacks, so if you’ve got a roommate you don’t trust, I wouldn’t advise it.

An untrusted site is just what it sounds like.  In some cases, I know for a fact that the site stores passwords in plain-text, and in others, I suspect as much or haven’t bothered to find out because I use the site so infrequently that it just doesn’t matter.  For each of these sites, I use a program to generate a different ten-character random password consisting of eight letters plus two numbers.  I had to make the password shorter than that at some sites which stupidly limit passwords to fewer than ten characters (ugh!).