Changing all my web passwords

Published on 25 January 2013 in , , ,

I don’t know about you, but I use the same password for every website. I know, I know. I shouldn’t. It’s bad and wrong. One person could steal your password and get it in to all your accounts.

But we all know the rules of passwords. We should have individual ones for each site. We shouldn’t write them down. We should include a mixture of uppercase and lowercase and numbers. But I don’t. I use the same password for every single website.

Now as you sit there in shock and horror (or alternatively, start attempting to hack my Facebook and Twitter accounts), let me quickly say that that’s how I would have started a password related blog post this time last year. In fact, it’s no longer true.

Back in the summer of 2012 I put the eight character password I used everywhere in to How Secure Is My Password and discovered that the password I used everywhere could be cracked in a whopping 11 minutes by a desktop PC.

This was not a new thing. I’d done that several times before but this time I was finally spurred on to action. I would change all my passwords. Every site would have a unique one. And thanks to a technique called “salting” that I’d just read about, I’d ensure I could remember them all too.

Suddenly my new password went from 11 minutes before it could be cracked to 412 years. I changed every site I could think of to my new scheme, and importantly of all, I kept a log of what site I had an account on, and when the password was changed.

Within 7 days I’d found 15 accounts I needed to change the password on.

Within a month I’d found another 15.

And it kept on going.

I keep finding long forgotten accounts that need changing. Rarely used sites that need an update. And in one case, a site whose amazing security settings wouldn’t even let me use my new far-more-secure password. Some sites were even using an even older password that could be cracked in 0.544195584 seconds.

As of a few minutes before I’d started writing this post, nearly six months on, I’d got 44 accounts where I have changed the password (or in a few rare examples, have created a new account using the same system.) Whilst writing this post, I suddenly remembered a 45th. And these are all personal accounts – I’m not including any work related ones.

Which leads me on to the advice I read recently about passwords. “You should change them regularly” said some security expert or other on some web article I couldn’t be bothered to bookmark. It’s the kind of advice experts come up with.

Change them? Until recently I didn’t even have any idea how many I had until recently. It’s taken me six months just to uncover 45 of them that I do know, and I’ve still not finished. How on earth is the average person supposed to even know how many accounts they have on the web, yet alone change them all? Yes, well, it’s all very well for you, Mr Security Expert, but here in the real world, things are different. Some people still write their passwords on Post-It Notes, for goodness sake.

And even I, who has discovered I have 46 accounts am now slightly regretting the fact that I’ve uncovered them all. For, to be honest, I’m beginning to remember why I used to use the same password for every site…