Password Hell

Key in Lock

I had put off the task long enough — it was time to clean up my passwords. I began using the Internet in the early 1990s and started to accumulate web logins and passwords. The first site I recall using was Weather Underground, which went live in 1993. As of August 2014, when I embarked on my cleanup project, I had more than 600 logins and passwords. I use 1Password to store these credentials — it is a truly great piece of software. The app runs nicely on the Mac, iPhone, MacBook, and iPad. The password database is securely stored in Dropbox and kept in sync for use on any of the devices. 1Password doesn’t just store your ids and passwords and automatically log you in to the corresponding website, it also provides a real-time analysis of the quality of your passwords. It shows how many are duplicates — not a good idea because if someone breaks into a site and gets your password, they could be able to use it at other sites. 1Password shows you how many of your sites are vulnerable to heartbleed, a serious security vulnerability, and it shows you which of your passwords are weak, how many are 3 years old, and how many are one-to-three years old. I confess my profile was not pretty.

I embarked on the cleanup project, and it took a chunk of my summer. I had several goals. First was to eliminate passwords for sites I no longer use or that no longer exist. Some sites were defunct, some had been acquired. I emailed sites and asked them to delete my account. Most sites responded quickly to the requests. The second goal was to eliminate any duplicate passwords, of which I confess I had many. It seemed like a good idea way back but clearly is no longer appropriate. The third goal was to make my passwords un-rememerable. I decided that a good password would be 20 characters long, contain upper and lower case letters, 3 special characters, and 3 digits. An example would be MRbUJ,6t4uz,>6FsaPmJ. Fortunately, 1Password can remember such a password. I used to know all my passwords, and now I can’t remember any of them. Any human or software would have a tough time guessing them.

The project was quite revealing about the many websites that I use. Most sites allowed the 20 character password with upper case, lower case, 3 digits, and 3 of any special character. Some sites had hard to believe password policies. Following are some examples of what I encountered.

bullet Most all sites require that you enter your password twice to make sure you get it right. A copy from 1Password and then a paste makes this quite easy. However, TurboTax, Costco, and Quest Diagnostics require you to type in the second field. I cannot think of a rationale for such a policy.
bullet Woodbury Products requires you to buy something before you can login. Their IT department said they outsourced their website and they don’t know anything about it.
bullet My bank limits your password to 8 numbers and letters with no special characters. You would think all banks would love long ugly passwords
bullet The security monitoring company at my house allows no special characters.
bullet 1Password generates long ugly passwords for you and you can easily configure how many special characters and numbers you want. The New York Times and a number of other sites allow only periods, underscores, or hyphens. This is the worst password policies.
bullet JC Penney does not allow special characters, but did not say so in their rules
bullet Southwest Airlines: no special characters
bullet CVS accepts up to a password length of 25 characters, but you have to type it in: twice
bullet Surprising that some very sophisticated organizations such as the World Community Grid allowed maximum password length of 15 and no special characters.
bullet BestWestern Hotels sends your password in the clear, and there is no way to change it.
bullet PC Magazine site is cluttered with so much advertising that no password link could be found. It took multiple emails and days to connect with them.
bullet Progressive Insurance does not allow customers to change their password online. You have to fill out an online form to get password reset instructions.
bullet Stop and Shop asks for a secret question but then truncates your answer to 16 characters without telling you so it would never work.
bullet A number of sites require you to enter your password to change your password. This is after you have already logged in.
bullet WSJ requires you to enter your secret question answer before you can change your password. Secret questions are a farce. The classic one is your mother’s maiden name. Do you enter mary jones, Mary Jones, Mary M. Jones, Mary M Jones, etc.? You answer a question and then a year later you have to remember if you used upper or lower case.
bullet Microsoft says minimum length is 8, but they don’t tell you the maximum length is 16. They do accept all special symbols.
bullet AT& finally introduced the idea of allowing a user to have the same login credentials for both your wired and wireless accounts. They introduced the idea of having one set of credentials for one company as though it is a breakthrough. The site requires the secret questions from a short list of their (not your) favorite questions. One of them was “Who was your first employer?”. My answer was ibm. “Invalid answer. It must have at least four characters”. Duh. So much for people whose first job was at IBM, GM, ABC, AOL, NBC, FOX, or ATT. And, your favorite color can’t be red. What were they thinking?

At the end of the project, my password database went from 627 to 354, and they are mostly long and not rememberable. Using 1Password on the iPhone is great. The app opens with your Touch ID fingerprint and then you simply copy the desired password. The interface is elegant. As I finish this post, I note that 1Password shows that I have 14 passwords that need attention, so the project is never over. Investing a small amount of time on a regular basis is a good investment of time for security’s sake.

Tagged with: , ,