November 21, 2012 1 Comment
How often do you change your online passwords? If you are like the vast majority of us then the answer is not nearly often enough. Until recently I fell into the same category, and fixing that took a little bit of doing.
One day several months ago I looked at Theresa and said ‘I think I am going to change all of my on-line passwords today.’ Easier said than done.
The first problem that I encountered was not an easy one – what passwords do I have? I figured I must have dozens if not hundred of on-line accounts. The not so simple task of creating a list of all of them was a task I was not looking forward to.
Like so many other things that I discuss, the old truism applies: If you cannot measure it then you cannot manage it. I had to figure out a way to start tracking my on-line accounts. Where should I start?
Of course there are easy ones – the low-hanging fruit. My Microsoft Account (formerly Live ID) is tied to dozens of sits from Microsoft Learning to TechNet to Zune and Xbox and everything in between, not to mention my primary e-mail account. By changing that password I immediately changed nearly half of the sites that I log in to. Unfortunately the rest of them would not be that easy.
I decided to take a measured approach going forward. I opened a text document on my laptop and named it passwords.txt. Of course this file is not going to have any of my passwords in it – I have a pretty good memory, but some people like to use password vault software like AuthAnvil Password Server, which allows individuals and organizations to centrally organize, synchronize, and audit their passwords. The only thing that I am keeping in my password text file is a simple list of all of the sites that I either have to type my password into or, in many cases, that I have logged into previously and clicked the ‘Remember my Password’ option in Internet Explorer.
I kept this text file open for several days and was alarmed at how long it was getting. The obvious ones are sites like on-line banking, social networking sites, and of course my blogs. The next tier were sites like ebay (and PayPal), amazon.com, and YouTube. Sites for my travel rewards points accounts (Aeroplan, AirMiles) came next, followed by things like DNS sites and Prometric.com (where I take my Microsoft exams).
After a few days I thought I was done, but just in case I saved the file to my desktop. In the meantime the real work started. I logged on to each of these sites and started changing passwords. Of course I did not use the same password for each site, and for my own peace of mind I will not explain how I chose. However I did make sure that all of my passwords were long enough and complex enough to thwart the average hacker (and onlooker).
Next I watched my Inbox. Many sites will send you an e-mail confirming that you made changes to the account. I skimmed through each one carefully for two items: 1) Do I need to take any action (click a link, etc…) to confirm that I actually did make the changes, and 2) Does it say ‘You changed your password to P@$$w0rd.’
The first wasn’t a problem – I took the necessary steps. However the second is more important; if any site sends you an e-mail with you password in clear text then you know that they are storing them that way (rather than using a one-way encrypted verification method). I flagged these sites and made a notation to never use the same password on these as I do on any other site. In the event that their site gets hacked not only would my account there be compromised, but you could be sure that the hackers would then try to use the same password against my account on other sites. VERY DANGEROUS.
As I went from site to site I made notations on my text file list. A dash next to an entry meant that the password has been changed; an asterix meant that the site e-mailed me in clear text. An ampersand meant that it is an account that I share with my wife (I don’t share any accounts with anyone else), and so before I change that password I should let her know what it is going to be, lest she get locked out of anything important.
While I thought I was done, I left the text file on my desktop. It does not take up a lot of real estate (especially since Windows 8 helps me to keep my desktop clean of shortcut icons), and I knew that as the weeks went on I would stumble upon the occasional site that did indeed slip my mind.
I dated the file and e-mailed it to myself; I set up an occurring calendar reminder telling me to change my passwords on a schedule. While not all of my credentials need to be changed as often as others, it is still important to change them all a few times per year. Now that I have the procedures in place, I will be able to do it without the anxiety that I faced the first time I went through it!