What I learned from resetting over 300 passwords

Lessons learned from auditing and resetting all passwords after the LastPass breach

1 2 Page 2
Page 2 of 2

My first challenge was simply gathering a list of websites that I needed to audit. The accounts I've logged into in the five years or so were easy to gather - they were in KeePass, LastPass or in various note taking programs. Almost 25 years of Internet usage meant there were presumably hundreds of accounts that I hadn't logged into for over a decade that might have weak passwords and my personal information. After scouring my memory, emails and receipts, I had a working list of just over 300 accounts. 

[ ALSO ON CSO: 5 ways to escape password hell ]

Now the hard work started. I logged into (or tried to log into) each site, used the site's "Change Password" or "Forgot Password" function and slowly worked my way through the list. It took a weekend but I finished - and I learned a lot. I learned much about the general state of password and account security on major sites on the Internet. I also learned about my own password habits and how they have changed and evolved over the years.

Here are some of the major things I've learned:

  • A few sites still have terrible username/password rules. I came across three websites, two government and one quasi-government, that had my Social Security number as the username and a four-digit PIN as a password. This is terrible, for several reasons. Usernames are usually not hashed, so my SSN is sitting out there along with my real, full name. A four-digit PIN isn’t a password at all anymore and can be guessed using brute-force attack in under a day on modest computing hardware. If websites still use this as the main method of authentication, do they have the ability to detect and respond to a breach? Probably not. I have to use these sites, so I changed my PIN, made a ritual offering to the Patron Saint of Identity Theft and moved on. I'm lucky that I have free credit monitoring for a very long time, courtesy of Anthem, Target and Home Depot. I'll need it.
  • Many sites still email forgotten passwords. When a user goes through the process to recover a lost password, many sites will email the current password. This is bad for two reasons: first, this means they are storing the password in plaintext. A site should never do this – a password should always be stored as an irreversible cryptographic hash. Second, email is a very insecure method of transmitting data. Always operate with the thought that email is compromised and being read by third parties. Emailing the current password (bad) or a temporary password (not as bad, but still bad) is not secure.
  • Many sites force users to use weak passwords. About a quarter of the sites that I visited did not allow me to use special characters or passwords over 12 characters in length. If there was a data breach and an attacker got a hold of the hashed passwords, it would be much easier to crack the passwords than if strong passwords were required.

Tips for Users:

  • Take an active role in protecting your personal information. We're at the point now where it's not enough to sign up for a service, give all your personal information and just assume they will protect it. Data breaches are the new normal. Use strong, unique passwords when possible and be judicious about giving out personal information. If a site does not employ good security practices and you have a choice in the matter, move on. Use a different service.
  • Consider using a password manager. There are cons of course to centrally storing passwords, but there are many pros. Evaluate your own risks. For the average user, the biggest threat is a data breach at one of the sites they commonly use. Password managers allow users to very easily use a strong, unique password for each site. This will considerably contain the bad effects of a data breach.
  • Be careful with cognitive passwords. Cognitive passwords, also known as "knowledge-based authentication" is a common way sites allow secondary access to an account. Upon account creation, sites ask the user a series of questions, such as "What city were you born in?" and "What is your mother's maiden name?" When you come across these, ask yourself two questions: One, can the answers be obtained on Facebook, LinkedIn or public records? Second, what will happen if an attacker gains access to these answers? Can they use the answers to gain access to other accounts on other sites? Sites should store these passwords in a one-way, non-reversible hash, but many do not. Consider giving a non-answer - a string of characters or a nonsensical answer to the questions and store the questions and answers in your password manager.
  • Your primary email account is the key to the kingdom. Protect it like no other. In most cases, I can reset my password for a site via email account, whether it was a reset link or a temporary password. If an attacker gained access to their victim's primary email account, they could do exactly what I did and reset the passwords to hundreds of websites. This could be devastating on many levels. Use a very strong password on your email account and never, ever reuse this password anywhere else. Enable two-step or two-factor authentication on your email account. If your provider does not offer this feature, consider moving to one that does.

After my exercise was complete, I was humbled and surprised at the inconsistency of password management techniques across different sites. Even when sites say they use strong security or claim they delete personal information, many times they do not, as is the case of Ashley Madison. The only way to adequately protect yourself is to take an active role in your own account management.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.