After the LinkedIn leak a few weeks ago, I decided to once and for all get off my ass and get my shitty passwords in order, as the one I had used at LinkedIn was also my bank's password and a bunch of other stuff, which was just stupid. But did I actually do anything? Nope.
Yesterday though, Mat Honan's article in Wired about getting hacked finally did it for me. I finally saw how easy it was to use my various linked accounts to totally frigin' hose my world and sat down to actually change my passwords on *everything*. (Actually, the very first thing I did was go into OSX's settings and turn off 'Find My Mac' to make sure the remote-wipe was disabled... Then I pulled out my 1TB Western Digital backup drive and actually backed up my computers. After that was done, *then* I sat down to change my passwords.)
Holy, frigin', cow. It took *hours*. I have so many logins, it's insane. Until you sit down to methodically go through and clean them all up, you really don't realize how bad it is. It's bad.
To make sure I remembered as many logins as possible, I went into my browser's password cache, which had a long, long, long list of sites that it's saved passwords for, and copied the URLs out to a text file. Then I came up with some new passwords that were both secure, but also memorable and quickly typable (by me... everyone's different.). There's no way I'd survive trying to have a different password for everything, so I came up with a few different ways to 'firewall' my different accounts so that I could have them be secure, but not have to remember a dozen different passwords. I know there are password managers out there, but I between my phone, my tablet, work and home computers (among others), there's just too many ways I access 'the cloud' to use one.
Check out the list of logins I changed - and these aren't all, just the most important: Yahoo!, Google, Microsoft (Live.com), Apple, Amazon, eBay, Comcast, AT&T, electric, water, garbage, my bank, credit cards, health insurance, eTrade, PayPal, GoDaddy, my hosting service, personal server, Facebook, Twitter, LinkedIn, Box.com, Dropbox, GitHub, Disqus, Evernote, ArsTechnica and Reddit. Those were the main ones, as I've been using the computer I'm constantly (and surprisingly) discovering more.
It may not look like that big of a list, but it took *forever*. Just finding the 'change password' page on each site itself was a challenge, let alone actually changing it. Websites *desperately* need to standardize this as much as they've standardized where the robots.txt file is, because right now it's chaos. And only one site out of that list - my hosting company - made me adjust my chosen password to be accepted, the rest gave me varying degrees of rankings from 'medium' yellow to 'strong' green. (You'd think it'd be the same...)
There's got to be a better way than this, really. Nothing is truly secure - as Apple's phone support will happily show you via a hacker who wants into your account - but so many logins and passwords are obviously broken, as there are frail humans like me on the other end of them. I know, having one service as a point of failure is also bad, but let's face it, having a bunch of different servers as multiple points of failure with varying degrees of protection is just as bad. If Apple or Amazon had their reputation banked on being a secure and trustworthy login, the guy from Wired wouldn't have gotten hacked, but that's not what their business is. Both have my bank's debit card on file, but I'm positive they protect that information quite well and have the required safety/fraud-detection/refunds,etc. they need. But managing and securing the login identity and password itself? That's not so important - it's not really what they do. (Apple *wants* to do that, but right now they don't.)
I'd love to see some neutral non-profit take this on. Actually, Mozilla is starting down this path with Persona, but what I'm thinking about is an entire organization dedicated to providing basic login APIs, with secure keys, etc. with backing from the big sites and services out there. Yes, it'd centralize security, and therefore make it more vulnerable to a single hack, but again, I honestly am not sure how much 'security through general chaos' is protecting us as it is.
Anyways, it's going to be *years* before I clear out all those passwords, I'm sure. I mean, it's not like I'm going to log into MySpace just to update my login, but services like AOL's AIM, which I've probably used once in the past 3 years? Well, eventually I'll run into it again, and when I do, I'll make sure to update it to a better password. It's going to take forever to find all those.