Home » Security
Category Archives: Security
A few weeks ago I wrote about how I started using a password vault. Some of my keener observers noted that I did not mention which one I chose, and that was not an oversight. I am not an expert in the technology, and unlike many of the products and solutions I have reviewed over the years, usability is not the primary factor in selecting a password vault, and I am not qualified to evaluate how well any of them secure your passwords. However with regard to usability, I would like to talk about some changes I have made in how I work, and how it has affected me.
1) Completely Randomized Passwords
Over the course of my time in IT I have heard myriad complaints from users who did not like having to remember complex passwords, and liked even less having to change them every so often. I gave them a lot of advice of how to choose and remember and cycle their passwords, but no matter how hard I tried, yellow sticky-notes (yes they come in other colours too) remain the biggest enemy of IT security.
I have used a lot of different passwords over the past fifteen years, but it is rare that I forget one. Why? Because there are probably a dozen ‘series’ of passwords that I have used at any given point. I won’t give any of them away (there is probably some obscure site that I have not logged into in a decade that still has my account with one of these old passwords, and somebody would figure it out). But let’s make up an obscure and completely fictitious password that I could have used:
Four Score and Seven Years Ago, Our Fathers…
The opening words of the Gettysburg Address. It is easy enough to remember… nine words. If I were to take the first letter of each word, and change numbers and booleans into their characters, we would have 4S&7yaof. Upper case, lower case, numbers, and characters. More than eight characters. I just created a password that would pass almost every minimum password requirements algorithms. I would then use that as a password for a dozen sites and applications. Of course, some algorithms insist on starting with a letter, so Fs&7yaof would be similar but completely different. We’re happy.
As I have mentioned before, I maintain a text file of most of the sites I have credentials for, and every few months I go through them all and change my passwords. It takes time and effort, but I have done it. Fortunately, I have always had pretty simple passwords (for me) to remember… because I knew the context. Password Hint? GETTYSBURG.
Now that I am using the password vault, it has a tool that helps me to create long, complex, random passwords that would be completely impossible for someone like me to memorize. However I wouldn’t have to memorize them, because the vault app enters it for me when I need it. So:
Hello1 = BAD
Passw0rd = BAD
Fs&7yaof = Good
L9Gya$(aWPl47+~R2t7*^1> = EXCELLENT!
With passwords like these (and a management app that helps me create, remember, and every few months change them), combined with the fact that every site has a completely different nearly impossible to remember password, and I can sleep better at night knowing that my identity is secure.
The problem is: how am I securing the password vault? Well, that has a couple of answers. Two factor authentication for sure, but that would be different on my phone and on my computer.
2) Multi-Factor Authentication
When I am accessing the vault on my computer, I have to enter my password, and then two-factor authenticate using my Yubikey. On my iPhone I have to a) log on to the phone using either password or a fingerprint, b) log in to the application using a different password. It is not ideal, but it is better than nothing… and for my needs, it is just fine.
There are some sites that I use (such as WordPress for my blog) that interacts with applications, and supports Multi-Factor Authentication (MFA). The process for these sites is a bit different:
1) The password vault application (or WordPress) generates a ridiculously long and complex password, and stores it in the vault.
2) The site allows me to create ‘application passwords’ which are for individual applications (and different installations of the same application), which the applications can store.
3) The WordPress app is installed on my phone. When I try to authenticate using either the web or an application, WordPress sends a code to the app on my phone, which asks me if I tried to log on (and from where). I can either Accept, which will allow the logon to proceed, or Reject, which will block the logon.
Other sites, such as Microsoft ID protected sites, allow me to either remember my password, have my password vault application enter the un-rememberable password for me, or it will generate a one-time code which it will send to my phone by SMS message, and I can log on with that code.
A few sites and applications, which include my corporate VPN and my health insurance website (not to mention my password vault application), allow me to authenticate using a token, a device that I plug into my computer and then press a button. The device then sends a code to the computer, and authenticates. I will not go into the back-end of this, but it is quite secure from what I understand… as long as it doesn’t get stolen. Of course, for most of the sites that I use it for the Yubikey only works when used in conjunction with a password.
I hope by now I am beyond the ‘forgetting my cell phone’ syndrome… after all, I have been carrying one for the better part of two decades, and knowing that the replacement value of my phone is nearly $1,000 I do my best to have it on me at all times. But what about the Yubikey? I am relatively new to carrying it around, an it is absolutely tiny… about the size of my thumbnail. I have it attached to a little charm that I was given at a bar in Shinagawa (Tokyo). The two combined might weigh a few grams… and I am extremely hopeful that it is more durable than it looks. However here’s the thing… I carry a lot of things in my pockets, and because of that I will, on occasion, take things out that do not have to be there… including on the weekends my card access key for the office, and yes – my Yubikey. Only, there are days (and not a few of them) when I forget my key card at home… and as such, I will often also forget my Yubikey. Fortunately my company still has a secondary VPN that I can use, and as for other sites that require it… well, let’s just say that most of them are not required for me to perform my job.
Oh wait… my password vault requires it. So I had better hope that during the course of my day without my Yubikey I don’t need to access too many sites, because while I can get the passwords off my phone, typing in passwords that look like this: L9Gya$(aWPl47+~R2t7*^1> can be a pain.
4) When all else fails…
I actually had to do this more often when I was using my old password methodology than my new one. Most sites have those helpful ‘Forgot my password’ buttons that will, after asking you a couple of questions, send you a link to reset your password. I used it a lot before, but admit that the only time I used it recently was with my health insurance company… where the password hint was useless, and the ‘Forgot my password’ button told me to call so that they could delete my account and then I could recreate it. Thanks, I’ll wait until I pick my Yubikey up off the night stand.
I wasn’t entirely sure what to expect, but I was hoping the transition to the password vault (and scores of completely different and un-rememberable passwords) would not be too painful. I was not disappointed. I did have to log on to some sites and manually change the passwords, but for others the vault’s app did it for me. I haven’t been locked out of anywhere (YET), and to the best of my knowledge nobody has logged on anywhere as me because they have compromised my data.
The Multi-Factor Authentication (MFA) is great as long as I have my devices with me… and my phone’s battery isn’t dead. Fortunately some of the sites that use it have alternate methods (e-mail me a code?) but also fortunately my phone is usually pretty charged, else I bring a portable charger with me.
Does this new methodology benefit me? Let’s be honest… the world has changed. Twenty years ago I was afraid someone would steal my house keys and would then break into my house and steal my stuff. Today with alarms and cameras that threat is nearly obsolete, but the threat of losing our data and banking information and credibility to hackers is very real, and being able to take steps to prevent it… well, it’s a small price to pay.
I held out as long as I could; I have never used a password vault, thinking that I could remember all of my passwords for several dozen sites and applications without having to trust them to any third party.
Of course, many of the passwords I used were reused a few times, and oftentimes I would have to ask a site to remind me of what my password was. I finally broke down and said okay, I was going to do it.
I signed up for the site that a trusted friend recommended; I even spent the $12 to get the premium service (mostly so that I could use multi-factor authentication with my Yubikey). I then downloaded the app to my laptop. I installed the app…
…and what happened next scared the wits out of me.
I should mention that I knew this was the case; I have in the past used tools to discover passwords on peoples’ computers (and on mine when I forgot them). So why was I surprised when the password app showed me a list of every site I have ever visited from this computer, with a button that said ‘Click here to display passwords’??
Yes, it is true. Unless you take special preventive measures, your computer saves every password you ever use; they are hardly even secured – this program did not take hours or even minutes to list them off, they were readily viewable in under ten seconds… including the passwords for my online banking.
How could this be? It’s simple… passwords suck. They are probably the best option that most of us have available to us, but they really do suck. Multi-Factor Authentication (MFA) solutions like a Yubikey or smartphone authentication programs provide much better solutions, but there are problems with those – firstly they require you to have a device, and secondly they require the site (or application) that you are connecting to support their tool. So if you are connecting to YouTube (which is a Google site) you can use Google MFA; however if you are logging on to some random site where you participate in forums, there is a good chance that this will not be available to you, and you will have to use old fashioned passwords (see article).
The problem with passwords isn’t that they are hard to use, it is that most people do not use them correctly. That is a pretty broad statement, but if you are honest with yourself, how many passwords do you use that are over 90 days old? How many of your passwords are repeated across sites? Some password vault tools will let you run a test across all of the sites in the vault, and it is a cold splash of water in the face to run one of these tests and get a 32% score (yes, I am as guilty of many of these behaviours as everyone else).
For years I said the worst enemy of IT security was yellow sticky notes, and they still are. However it has gotten so much worse than ever, because every site wants complex passwords, and to get around the complexity rules people are using things like DogName1, then DogName2, and so on. I see stickers like the one shown more often than I care to say. The more often we have to change a password, the worse the situation will be. The problem grows exponentially when we have more sites forcing us to do the same thing. So if we have to change a password on ten different sites every ninety days, we are exponentially more likely to pick the same passwords, or derivatives thereof.
But is it reasonable to expect everyone to pick completely random, un-guessable passwords? Is *880638Z7965 a good, completely secure password? Probably not. For one thing, it is going to be impossible for us mere mortals to remember, and so we are going to write them down; for another, if someone gets access to your computer (or smartphone, or any device that you use to log onto whatever site you are trying to keep secure). Remember… if the Password Vault software can determine what your passwords are, so can the hackers.
I recently sent out an e-mail called The Ways of Small Business IT in which I highlighted some of the perils of a small business IT environment; one of the issues I highlighted was users leaving their unlocked workstations unattended. There are much more dire (and scarier) consequences to this behaviour than having your local information stolen. Simple programs installed from a USB key can reveal and steal every password you have ever used on the workstation – business, pleasure, banking, personal, dating sites… everything. So the miscreant would not have to sit at your computer for very long to own you – all they have to do is sit down for a minute and then walk away with all of your sites, usernames, and passwords. Then at their leisure they can access your life from wherever they want.
Scary? Yes. Preventable? Of course. A user who locks their computer when they walk away has taken great steps to prevent this attack. But what happens if the miscreant did not target your computer? What if they target a site where you use your catch-all password? Well it shouldn’t be a problem because that site will shut itself down until it has fixed its own security holes, right?
WRONG. The scary phrase in that last sentence is catch-all password. Here’s what I mean, and for the moment we are going to use the example of a site that we know to have been recently hacked.
Yeah I know you didn’t have an account, and you are completely faithful to your partner, but for the sake of the example, the user list on AshleyMadison.com is compromised. They have your credit card information, but that’s okay because your credit card is insured; they have your name and dating preferences, and that’s a damned shame… but there are fourteen million other men (and seventeen other women) who are in the same boat as you. It’s in the media and it’s ugly, and you are spending half of your time fighting with your partner that someone had used your credit card (and name, and picture, and your sexual preferences) to create their own profile on the site, and the other half of the time speculating about who else was on it, and… you know, doing whatever else you do during the day.
What you do not spend any time doing is changing the password on YourBank.com, YourTradingCompany.com, YourOtherServices.com, and so on. It doesn’t matter that you had been using the same password on those sites as you did on AshleyMadison.com, because… well, in truth you just never gave it much thought, and isn’t it just so much easier to use the same password everywhere so you don’t forget?
Now the bad guys have your password… and believe me, it isn’t tough to guess your username for all of those sites… especially since you also used the same password for your e-mail account, so what they can’t easily figure out they can easily ask all of the other businesses to resend it and the businesses will do it because the hackers asked from your e-mail account.
Is there a good solution? For businesses there are several… multi-factor authentication, soft tokens, and so on. For individuals? Well, there’s vigilance… and listening to people like me when we tell you not to use the same passwords, and not to write them down, and to change them frequently.
In my next article I am going to use a lot of the tools I discussed in this piece to demonstrate why your work laptop should only be used for your work resources.
This is NOT an article about my mother. She just happens to be the person at the other end of this conversation, but it could have been any house guest.
My mother has been staying with me for the past few days. It is the first time she has stayed with me, and it has been a learning experience for both of us.
One of the things that she had to get used to was that my TV is not set up in any useable way to anyone but me. I know, it’s a pain in the ass, but I live alone, and under normal circumstances the only person (other than me) who would ever use the TV is my son… and he is just as happy to let me log in for him.
I promise, someday I will get around to making the system more useable, but it’s just not a priority.
So this morning I had one foot out the door when my mother asked me ‘Oh… if I want to watch TV, how do I do it?’ The simple answer is… You don’t. Okay, you have an iPad, you can watch Netflix.
‘But why can’t you just show me how to use your TV?’
Well there are a couple of reasons for that, but the one I opted to go with was that I would have had to give her my password, which was my primary password for everything on my network. I could have gone with ‘I don’t have the time,’ or ‘I’m sorry, but the media device is very finicky and you would be calling me all day to ask questions,’ or ‘I don’t want you surfing my porn collection.’ No, I went with the password.
‘Oh, really… like I would use your password for anything other than watching TV. Really, I don’t even know how to use your computer!’
There are a lot of arguments that people could make in favour of sharing passwords… and they are all wrong. There is in my mind no legitimate reason why two people should share their passwords with each other… not when information security is an issue.
What do I mean by ‘Information security?’ Let’s look into this. If I were to give someone my password, what could they possibly do on my computer?
1. My banking credentials and information may be cached.
2. I have letters and documents that are extremely confidential. Some are personal, some are business, none are anyone’s business other than the people I share them with.
3. On my desktop there is a link that connects my personal PC to my corporate VPN. While I do not have my credentials cached, the extra layer of security provides Defense-in-Depth, which is eliminated by sharing my password.
4. My e-mail… In other words, anyone with my password could very easily send an e-mail in my name… to anyone.
5. My blogs are set up so that anyone authenticating to my PC can post to any of them… and that is not acceptable.
6. Oh come on… do I really need to go further?
So if I trust someone 100% should I be willing to trust them with my password? Well, I don’t trust anyone 100%, but that is not the question. In this case, even if I trust her 100%, we have to assume that my boss (who has never met her) doesn’t… and since some of the information that my password is protecting is my company’s, the answer is no, I should not trust them with my password.
Do I believe my mother would use my password for any reason other than watching TV? Frankly I do not. Do I think she is capable of getting into anything that she shouldn’t? Well, she does know how to use e-mail, so that is a possibility, but I do not think that she would.
The problem is not what I think she would do. The problem is this: What happens if I get back to my computer tonight, and something is amiss. What happens if something is missing, or changed, or whatever? Well the reality is that chances are it is from something that I did, but my first reaction would not be that. So why take the chance? Why risk losing the ability to trust my mother because of something that may or may not have been her fault? Simple… don’t put yourself into the position.
I connected my mother’s iPad to my wireless network, and she should be able to do anything she needs on that device… if she had the wherewithal to hack into my systems via wifi then I would be a sitting duck, but she doesn’t… in fact not only does she not have the ability, she also does not have the desire or malicious intent.
On the first page of the book The Sum of All Fears there is a quote that I have always liked. I thought it was a Winston Churchill quote, but as I looked it up on the Internet it looks like it is attributed to Benjamin Franklin. It is:
Three can keep a secret, if two of them are dead
Is that true? Maybe yes and maybe no, but the only true way you can know for certain that nobody will share your secrets is by not sharing them with anyone else. Passwords are the same way.
I have been asked before if I have a password store in case I get hit by a truck. The answer is that I do not. Why not? There is nothing that I need people to access if I am dead. They can reformat my computer and all of my hard drives and use them to their hearts’ content… but the information is mine. I don’t need anyone logging into my Facebook or LinkedIn after I am gone, and with regard to my banking, well the executor of my estate will have the legal means to deal with the banks. Some information can die with me, and I am quite at peace with that knowledge. My blogs? Once I am dead the last post will have been posted, and they will remain there until WordPress decides to take them down. E-mail? Nobody needs to be notified of my death who cannot be notified by other means.
Passwords are private, and should remain so. The integrity of your data and systems and reputation relies on that. Sharing them with anyone is a bad idea, and if you disagree? Well don’t tell me I didn’t warn you!
Congratulations. You have decided to implement a Folder Redirection policy on your domain. There are real advantages to this, not the least of which is that all of your users’ profile folders will get backed up centrally… and that when they change computers their files and settings are just there.
You have created a Group Policy Object (GPO) in Active Directory that you have called Folder Redirection, and you have applied it to the Organizational Unit (OU) that your user account is in, and as is so often the case with Desktop Administrators, you have made yourself the guinea pig. From Windows you run the command gpupdate /force, and are informed that in order for the Folder Redirection policy to be applied, you will have to log off and then log on again. You do.
It must have worked! Why do you I say that? Because unlike most of the time, when logging on takes a few seconds, it took a full ten minutes this time. As a seasoned Desktop Admin you understand that this is because all of the folders that you set to redirect – Documents, Pictures, Videos, Favorites, Downloads – are being copied to the server before you are actually allowed onto your desktop. However a few minutes later, once you are logged on, you open Windows Explorer, and in the navigation pane you right-click on Documents, and see that the My Documents folder is no longer at c:\Users\Mitch, but at \\Sharename\Mitch.
Unfortunately there is one step that you are now saying to yourself ‘Mitch, you missed one thing!’ Because you know that when you clicked on Windows Explorer in the task bar, you got a warning message that looked like this:
As a seasoned IT Pro you know that security warnings are a way of life, and it wouldn’t bother you if you had to accept this every time… but you know your end users are going to go ape, so you need a solution. No problem.
I should mention that while these steps will work for all versions of Windows since Windows Vista, the way you access the screens may be a little different.
1) Open Control Panel. Don’t be alarmed, you are going to get the same security warning when opening the CP.
2) In the Search window type Internet Options. When it comes up, click on it.
3) In the Internet Properties window select the Security tab.
4) On the Security tab click on Local Intranet. Then click on Sites. Note that the Sites button will be greyed out until you select Local Intranet.
6) In the Local Intranet window click the Advanced button.
5) In the Local Intranet (Advanced) window type the location of your folder redirection share into the box marked Add this website to the zone: Uncheck the box marked Require server verification (https://) for all sites in this zone. Click Add. Then click Close.
6) Close the Internet Properties window.
Now try opening Windows Explorer again. It should open without the security warning.
If You’re Gonna Do IT Then Do IT Right…
Okay, so you know how to configure this setting for your individual desktop… but you don’t really want to have to go to every desktop/laptop/tablet in the organization and do this, do you? Of course not, that is what Group Policy is for!
We are going to make one change to your Folder Redirection policy.
1) Open Group Policy Management Console.
2) Right-click on your Folder Redirection policy and click Edit…
3) Navigate to: User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page.
4) Right-click on Site to Zone Assignment List.
5) Enable the policy.
6) In the Options box click on Show…
7) In the Value name cell enter the UNC path of your file share.
8) In the Value cell next to the UNC path you just entered enter the value 1. (Where 1=Intranet/Local Zone, 2=Trusted Sites, 3=Internet/Public Zone, and 4=Restricted Sites). Click OK then click OK in the Site to Zone Assignment List dialogue box.
9) Close Group Policy Management Editor.
That should be it… remember you will have to re-run your gpupdate /force on your machine, but even if you don’t it will apply in the next few logoffs, right?
**Thanks to Joseph Moody for the list of settings for the Zone Value list!
I was sitting in a planning meeting with a client recently in which we were discussing ways of protecting end-user machines, especially laptops that were in and out of the office. The previous convention relied on BIOS locks that were proprietary to the hardware manufacturer, and required the end user to either enter two passwords or swipe their fingerprint on a sensor. As the company planned to migrate away from the dedicated hardware provider and toward a CYOD (Choose Your Own Device) type of environment this would no longer be a viable solution.
As the discussion started about what they were planning to use to provide a second layer of protection from unauthorized access to systems, I asked if the company was still intending to use BitLocker to encrypt the hard drives for these machines. When it was confirmed that they would, I presented the hardware agnostic solution: adding a PIN (Personal Identification Number) to BitLocker.
BitLocker is a disk encryption tool that was introduced with Windows Vista, and has been greatly improved upon since. It ties in to the TPM (Trusted Platform Module) in your computer (included mostly in Enterprise-class systems) and prevents protected hard drives from being hacked. Most people configure it and leave it there… which means that it is ‘married’ to the physical computer with the TPM chip. However there are a few additions you can add.
Authentication has not changed much in the last few thousand years. It is usually based on a combination of something you have and something you know. Beyond that is it just levels of complexity and degrees of encryption. So our TPM chip is something we have… but assuming the hard drive is in the computer, they go together. So we need another way of protecting our data. Smart cards and tokens are great, but they can be stolen or lost… and you have to have to implement the infrastructure with a cost (although with AuthAnvil from ScorpionSoft the cost is low and it is relatively easy to do).
Passwords work great… as long as you make them complex enough that they are difficult to hack, and ensure people change them often enough to stymie hackers… and don’t write them down, and so on. However even with all of that, operating system passwords are still going to be reasonably easy to crack – to the knowledgeable and determined. Hardware level passwords, on the other hand, are a different beast altogether. The advent of TPM technology (and its inclusion in most enterprise-grade computer hardware) means that an encryption tied to the TPM will be more secure… and by adding a PIN to it makes it even more so. Even though the default setting in Windows is to not allow passwords or PINs on local drives, it is easy enough to enable.
1. Open the Group Policy Editor (gpedit.msc).
2. Expand Computer Configuration – Administrative Templates– Windows Components – BitLocker Drive Encryption – Operating System Drives
3. Right-click the policy called Require additional authentication at startup and click Edit.
4. Select the Enabled radio button.
5. Select the drop-down Configure TPM startup PIN: and click Require startup PIN with TPM.
At this point, when you enable BitLocker, you (or your user) will be prompted to enter a PIN when enabling BitLocker.
**NOTE: This policy will apply when enabling drives for the first time. A drive that is already encrypted will not fall into scope of this policy.
By the way, while I am demonstrating this on a local computer, it would be the same steps to apply to an Active Directory GPO. That is what my client will end up doing for their organization, thereby adding an extra layer of security to their mobile devices.
Many of you know that I am a fanatic about changing passwords and password complexity. I have written time and again about the subject. (See Pass the Word…)
I am also a big hater of what my friend Dana Epp refers to as ‘Security Theatre.’ I have often berated people at Rogers, AT&T, and a plethora of other companies who ask me ‘and for security purposes can you please tell me your date of birth?’ REALLY? IT’S ON MY FACEBOOK PAGE! How about you ask me what colour tie I wore to the last Black Tie event I attended, or what colour was the hockey puck we used when I played ice hockey?
I came across an article written by fellow Microsoft MVP Bill Pytlovany. I have never met Bill but he makes some very good points about answering security questions (my mother’s maiden name is Brown by the way) that people should keep in mind when answering these questions. Bill’s MVP Award is in Consumer Security, and I can see why. Enjoy the article! –MDG
How often do you change your online passwords? If you are like the vast majority of us then the answer is not nearly often enough. Until recently I fell into the same category, and fixing that took a little bit of doing.
One day several months ago I looked at Theresa and said ‘I think I am going to change all of my on-line passwords today.’ Easier said than done.
The first problem that I encountered was not an easy one – what passwords do I have? I figured I must have dozens if not hundred of on-line accounts. The not so simple task of creating a list of all of them was a task I was not looking forward to.
Like so many other things that I discuss, the old truism applies: If you cannot measure it then you cannot manage it. I had to figure out a way to start tracking my on-line accounts. Where should I start?
Of course there are easy ones – the low-hanging fruit. My Microsoft Account (formerly Live ID) is tied to dozens of sits from Microsoft Learning to TechNet to Zune and Xbox and everything in between, not to mention my primary e-mail account. By changing that password I immediately changed nearly half of the sites that I log in to. Unfortunately the rest of them would not be that easy.
I decided to take a measured approach going forward. I opened a text document on my laptop and named it passwords.txt. Of course this file is not going to have any of my passwords in it – I have a pretty good memory, but some people like to use password vault software like AuthAnvil Password Server, which allows individuals and organizations to centrally organize, synchronize, and audit their passwords. The only thing that I am keeping in my password text file is a simple list of all of the sites that I either have to type my password into or, in many cases, that I have logged into previously and clicked the ‘Remember my Password’ option in Internet Explorer.
I kept this text file open for several days and was alarmed at how long it was getting. The obvious ones are sites like on-line banking, social networking sites, and of course my blogs. The next tier were sites like ebay (and PayPal), amazon.com, and YouTube. Sites for my travel rewards points accounts (Aeroplan, AirMiles) came next, followed by things like DNS sites and Prometric.com (where I take my Microsoft exams).
After a few days I thought I was done, but just in case I saved the file to my desktop. In the meantime the real work started. I logged on to each of these sites and started changing passwords. Of course I did not use the same password for each site, and for my own peace of mind I will not explain how I chose. However I did make sure that all of my passwords were long enough and complex enough to thwart the average hacker (and onlooker).
Next I watched my Inbox. Many sites will send you an e-mail confirming that you made changes to the account. I skimmed through each one carefully for two items: 1) Do I need to take any action (click a link, etc…) to confirm that I actually did make the changes, and 2) Does it say ‘You changed your password to P@$$w0rd.’
The first wasn’t a problem – I took the necessary steps. However the second is more important; if any site sends you an e-mail with you password in clear text then you know that they are storing them that way (rather than using a one-way encrypted verification method). I flagged these sites and made a notation to never use the same password on these as I do on any other site. In the event that their site gets hacked not only would my account there be compromised, but you could be sure that the hackers would then try to use the same password against my account on other sites. VERY DANGEROUS.
As I went from site to site I made notations on my text file list. A dash next to an entry meant that the password has been changed; an asterix meant that the site e-mailed me in clear text. An ampersand meant that it is an account that I share with my wife (I don’t share any accounts with anyone else), and so before I change that password I should let her know what it is going to be, lest she get locked out of anything important.
While I thought I was done, I left the text file on my desktop. It does not take up a lot of real estate (especially since Windows 8 helps me to keep my desktop clean of shortcut icons), and I knew that as the weeks went on I would stumble upon the occasional site that did indeed slip my mind.
I dated the file and e-mailed it to myself; I set up an occurring calendar reminder telling me to change my passwords on a schedule. While not all of my credentials need to be changed as often as others, it is still important to change them all a few times per year. Now that I have the procedures in place, I will be able to do it without the anxiety that I faced the first time I went through it!