Why I just spent three days changing my passwords on over 300 Web sites

By | September 29, 2009

“Hi, my name is jik, and I’m a password reuser.”

“Hi, jik!”

If there isn’t a “Password Reusers Anonymous”, there probably should be.

By “password reuse,” I mean using the same password over and over on multiple Web sites.  It’s a really bad idea, and I should know that better than most, since I’ve worked on and off in the field of computer security for over two decades.

It’s a bad idea because lots of Web sites don’t protect passwords like they’re supposed to.  A properly designed Web site doesn’t store your actual password; only a cryptographic hash of the password is kept.  However, there are all too many Web sites which do keep your actual password, and so if you use the same password on multiple sites, you make yourself vulnerable in several ways:
  1. Operators of a bad Web site could use users’ passwords to log on to other sites where the users have accounts.  If you think this would never happen, take a look at how many credit-card skimming operations are perpetrated by store owners, waiters, etc. (including this one, which I personally got snared in through the use of my corporate AmEx card).
  2. An operator of the site could sell its database of email addresses and passwords to hackers, who could then use them to make large-scale attempts to break into accounts on other sites.
  3. Even without the cooperation of the Web site’s operators, a hacker could break into the site, steal the account database, and use it as described above.
  4. Many of these Web sites will email your password to your email account if you tell the site that you’ve forgotten it.  If someone breaks into your email account, they can look at old messages to see what sites you have accounts at, tell one of those sites to email your password, and then use that password to log into the other sites you’ve used.
  5. If you are the kind of person who has to worry about keeping things private from family members, the problem above is even worse, since they can look in your browser history, not just old messages in your mailbox, to find out what sites you’ve visited and may have accounts at.

But the biggest problem by far, which dwarfs all the problems listed above, is: If your password is somehow compromised, then you need to change it on every Web site on which you’ve used it.

If using the same password on multiple Web sites is such a bad idea, then why do so many people do it?  Simply put, because it’s easier to remember one password than it is to create and remember hundreds of them.  And if you can’t remember them, then you need to write them all down on a list somewhere, and find a way to both keep the list secure and make it accessible whenever and wherever you need it.  There are some available tools to make this easier, but the best ones cost money, and not many people are savvy enough to go looking for tools to handle this sort of thing.

I fell into the password reuse trap years ago, when data breach incidents were few and far between and tools for managing passwords didn’t exist.  Old habits die hard, and I never broke this one.  And so, since last week, when the password I’ve been using as my standard third-party Web site password for well over a decade was compromised (I will post later about how it was compromised), I’ve had to spend every available moment changing my password on over 300 Web sites.  Believe me, it took a while.

In the process, I learned some very scary things about the state of password security on the Web.  Sites that store passwords in plain-text, email them to you upon demand, limit passwords to insecure lengths or severely restrict what characters can appear in them, don’t support changing passwords at all, claim to support it but it doesn’t actually work… I saw it all, and I must say I was surprised.  I’ll be shaming the guilty in a separate blog posting, but in the meantime, I want to offer the following advice to others:

  1. If you’re using the same password on multiple Web sites, then stop it right now. Really.
  2. One option to consider for limiting the number of passwords you need to remember is OpenID.  However, it isn’t supported everywhere, so you’ll probably have to use a different approach in addition to this one.  Therefore, it might not be worth bothering with it.
  3. Another option is to use a tool such as Sxipper or Mitto to manage your passwords.  I’m not endorsing those two particular tools; they’re just two that I know about; you can find many more by Googling for “password manager.”  I write a bit more about password managers below.
  4. The solution I ended up settling on was to classify the sites I use into three tiers — trusted, untrusted secure, and untrusted — assign a different type of password to sites in each tier (more on this below), and keep track of all the passwords in a file on my hard disk encrypted with GPG.  This turned out to be somewhat easier than expected because the newest version of GNU Emacs (the text editor I use) knows how to handle “.gpg” files automatically, so it automatically prompts me for my GPG passphrase and decrypts the password file each time I load it into Emacs, and encrypts it automatically when I make changes and save it.  I also use Sxipper with Firefox at home (but not at work) to reduce the frequency with which I have to consult my encrypted password file.

More on password managers

Password managers come in three varieties:

  • Local — stores your data locally on a single computer and makes it accessible there only (sometimes for just one type of browser, sometimes for different types)
  • Local with export — stores your data locally but allows it to be exported and copied to other computers and sometimes to other types of devices, e.g., SmartPhones.  Might also allow the data to be stored on a thumb drive so that you can take your passwords with you simply by unplugging the thumb drive and plugging it into a different computer.
  • Online — stores your data on a central server and makes it available to multiple computers, perhaps multiple types of browser, and perhaps different devices such as SmartPhones as well.
  • Algorithmic — generates random passwords on the fly passed on a single “master password” and the URL of the Web site.  See, for example, http://passwordmaker.org/.

The biggest advantage of a local password manager is that you aren’t trusting your data to someone else.  Whether you are willing to trust a third-party on the Internet with all of your account usernames and passwords is something you will need to decide after carefully examining the provider’s security and privacy policies and documentation and then deciding whether you actually believe them.  Anybody can claim that their servers are secure and their data is encrypted, but what if they’re lying?

The biggest advantage of an online password manager is that they (supposedly) back up the data for you, you don’t have to worry about losing it if you lose your computer, and it is extremely easy to use it from multiple computers and perhaps even different kinds of devices.

The biggest advantage of an algorithmic password manager is that there’s no list of passwords to store or copy between computers.  The biggest disadvantage is that it will have trouble at sites with stupid restrictions on passwords, such as the many Web sites I list in my Password Security Hall of Shame.  In my opinion, algorithmic password generators are a clever idea, but one that falls just a little short of good enough in the real world for people who use lots of Web sites. (Thanks to Robert Munro for bringing up this type of password manager.)

If you want to try a password manager, then first decide which type you’re comfortable using, then decide what features you want (Which browsers does it need to work with?  Does it need to support your SmartPhone?  Do you want thumb drive support?  Do you want the data to be encrypted automatically?  Do you want it to require you to enter a master password every time it authenticates you anywhere?  Do you need it to let you export your data and import it elsewhere?  Etc.), then Google for “password managers” and look for one that has the features you want.  You may also wish to search for “password manager comparisons” and take a look at some of the results.

If you do use a password manager, then you need to either (a) keep track of your passwords outside of the password manager as well, e.g., in an encrypted file, and just use the password manager as a convenience tool so you don’t have to constantly look up passwords in the file, or (b) make sure that the data in the password manager is backed up regularly, and that the password manager will let you export all of your passwords in plain-text should you need to do so (e.g., when you decide to stop using the password manager), so you won’t get locked out of all of your sites.

More on picking passwords

As mentioned above, I divide the Web sites I use into three tiers, and I use a different method for choosing the password to assign to sites in each tier.

A trusted site is one which I use very often, which I believe stores passwords correctly (i.e., as cryptographic hashes), and which otherwise seems to have a clue about security.  I decided to us the same password for all of these sites, but at the same time, I keep the number of such sites to a minimum to reduce my exposure and the number of passwords I’ll need to change if the password is compromised.  Thus far, I’ve put only three sites out of more than 300 in this tier, and I maintain two of them ;-).

An untrusted secure site is one that I believe stores passwords correctly, but I’m not absolutely certain and it isn’t worth the effort of finding out.  For these sites, I use an algorithmic password, i.e., I start with the same template password and then modify it based on the domain name of the site.  For example, a simple algorithm (no, it’s not the one I use!) might be to take the first and last letters of the domain name and wrap them around the template, such that the template password “fRoOdLe5” and the Web site “www.microsoft.com” would yield the password “mfRoOdLe5t”.  Algorithmic passwords make it unnecessary to remember different passwords for every site, and they increase security to some extent, because a hacker using a stolen password list to attempt large-scale break-ins on other sites probably isn’t going to take the time to look at all the passwords and try to figure out people’s algorithms.  However, it doesn’t protect you very well from targeted attacks, so if you’ve got a roommate you don’t trust, I wouldn’t advise it.

An untrusted site is just what it sounds like.  In some cases, I know for a fact that the site stores passwords in plain-text, and in others, I suspect as much or haven’t bothered to find out because I use the site so infrequently that it just doesn’t matter.  For each of these sites, I use a program to generate a different ten-character random password consisting of eight letters plus two numbers.  I had to make the password shorter than that at some sites which stupidly limit passwords to fewer than ten characters (ugh!).

Share

10 thoughts on “Why I just spent three days changing my passwords on over 300 Web sites

  1. Curt Sampson

    My issue with OpenID is that, should your OpenID be compromised somehow, it still allows access to many different sites, rather than just one. So I use “local” registration rather than OpenID unless I have no other option.

    I invariably use a different, randomly generated 12-character password for each site. (It always includes at least one number and mixed case, and also punctuation if the site allows it; I use a program called “apg” to generate these.)

    I’ve found that Firefox’s password manager (using a “master password” to encrypt the database of sites works well for most of my sites, especially when combined with the Sync plug-in so I can use it across multiple machines.

    But for the ones I’m more paranoid about (such as my banking sites) I don’t use that; I fall back to copy/paste from my master file of passwords, encrypted with GnuPG. (Note that this, or one of these, rather, also contains all of my web passwords should the Firefox database become corrupted.)

    Reply
  2. Pingback: The wrong way to be a good samaritan « Something better to do

  3. Amos Shapir

    I don’t think it’s wise to use an automatic passwords generator which relies on a site’s URL. My home ISP had changed its name, and its URL with it, no less than 5 times in the past 10 years; each time its mail server would automatically redirect to the new site. Consequently, an automatic password generator might be seeing a different site name when accessing such a site, than the one it had used when creating the password initially.

    Reply
  4. Robert (Jamie) Munro

    There is a fourth category of password manager application – that doesn’t store any passwords whatsoever. It generates them on the fly with a hash of the URL of the site you are looking at and a master password.

    For example, http://passwordmaker.org/

    Of course, the problem with this is that if you reveal your master password, you still need to change all the passwords on all the sites, but it is a lot less likely that you will do so, because you never send that password to any sites.

    Another problem is that some sites require, for example, at least one number in the password, and others break if you have a number. So sometimes you have to set options in the password generator to change the password it generates, and you may have difficulty remembering the specific options you chose.

    Reply
  5. Tony Toews

    I’ve always had different passwords to different sites but I was storing the passwords in a security by obscurity method which was quite insecure otherwise. I switched to KeePass which is also an open source tool hosted on SourceForge.

    I once got a panicked phone call from a friend. Their father had just unexpectedly died and they had no idea what his Quicken password was so they could take care of financial business of his estate.

    The first password on the list isn’t a password. It’s several paragraphs of text mentioning my Windows password, my backup paasword, where my backups are stored and most importantly the master password to the KeePass file. This has been printed and placed in a sealed envelope and given to a few close family members.

    KeePass then generates random passwords. One problem though is that some sites don’t allow you to use the full 20 characters. You have to watch for that as otherwise weird things can happen.

    WIndows and KeePass allow for pass phrases. Which I use. These phrase are five or eight words long with a numeric or special character twist in there somewhere.

    KeePass then allows you the ability to visit websites, press a hot key sequence and have the userid and password inserted into the fields. Which is a very nice timesaver.

    Trouble is of course, I’m now chained to my laptop. Oh well, it’s always nearby.

    Reply
  6. Eric

    When to reuse a password should be a decision based upon evaluating whether the convenience is worth the risk. Frequently there are only a few web sites where something bad is likely to happen if somebody else got both your username and your password – usually an email account, social networking web site or a web site where somebody could somehow spend or steal your money.

    Do you really care that somebody can read articles on the NYTimes web site using your identity?

    Reply
  7. Pingback: WordPress inadvertent disclosure bug « Something better to do

  8. Pingback: Password security hall of shame « Something better to do

  9. abbasegal

    Is this related to the email I sent you the other day?

    Anyway, I like PasswordSafe which was plugged (and I think originally designed by) Bruce Schneier, but is now an open-source sourceforge project (http://passwordsafe.sourceforge.net/). Bruce recommends letting Password safe generate random passwords for everything, and then using it for everything. I don’t do that across the board, since it means I can’t log in to sites from a computer that it not my main computer, but that would be the most secure method (corresponding to your “untrusted” method).

    Reply
    1. jik Post author

      Is this related to the email I sent you the other day?

      Yes.

      I’m giving the maintainers of the software a change to respond to my security incident report before I post more about it publicly.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *