Another geeky post I’m afraid, but this completes a logical trio of posts about online account management (see also I Just Want to Delete my Account and Rant About Website Logins). So in the last instalment I explained how I had managed to delete a lot of my online accounts but that left me with about seventy that I still use (or am likely to want to use at some point). Now I am sure you have often seen security advice about periodically changing your passwords. Well the vast majority of my accounts used one of three different passwords, one of which I first used probably ten years ago. So my next little project was to change all my passwords.
Some people advise using a different password for every online account you have, and there are good reasons for this. You might sign up for an account on a dodgy site which just records your username and password then tries them on all sorts of popular websites, hoping that you have an account with the same combination on one of them. Because I have so many accounts, and not all of them work with the Mac OS X Keychain, I decided not to follow this advice too strictly. So first I thought up some new passwords that I had never used before and wrote them down on a piece of paper, calling them p1, p2, p3 etc. I used some of them as passwords for a single account, in particular those which I rely on a lot or where the consequences of unauthorised access would be more than an inconvenience. The others I decided to use for whole groups of existing accounts. Now, knowing which password I wanted to use for each account I set about logging in to the accounts and trying to change the password. Sometimes it was easy but there were a number of problems and the main purpose of this post is to make a record of them so here goes.
On a few sites I never managed to find any way of changing my password – it seems like you are stuck forever with whatever password you use when you sign up. Then there were sites where you can’t choose a new password yourself but you can request a password reset, which is not very secure because the plain text of your new password is sent to you by email. Also, if someone somehow gets control of your email account they might go to various popular websites and request a password reset for that address, thereby possibly gaining control of more accounts. Some websites may ask a security question before sending a password reset but many don’t – they assume that only you will ever be able to access emails sent to your address.
With a couple of accounts I followed the procedure to change my password and it seemed to work but it didn’t actually take effect – I still need to look into that. Having to change my password on so many sites I became aware of the total lack of standardisation which made it quite a frustrating experience. Even just finding where to go to change your password was often tricky. You are almost always asked to enter your new password twice, which is a good feature because without it you may make a typo and set it to something other than what you intended, forcing you try all likely typos or give up and request a password reset. Many sites have a useful “password strength meter” which lets you know how unguessable your password is as you enter it.
Now the big question – what sort of passwords are allowed on a site? Here again there is a total lack of standardisation, both in the allowed range of password length and in the set of allowed characters. Some sites allow essentially any ASCII characters while others allow only alpha-numeric characters, and many others allow alphanumeric plus a small range of symbols. On top of that, sites will often require passwords to include both letters and numbers or a mixture of upper and lower case. I guess some might even require at least one non-alphanumeric character. So in general it may not be possible to construct a single password which satisfies the requirements of a given set of websites. I came unstuck because all my new passwords contained at least one non-alphanumeric character so I couldn’t use them on some websites. I came across at least four websites that require alphanumeric passwords and at least four others that severely constrain the symbols allowed (of those, all allowed an underscore, three allowed a hyphen, two allowed a period, and one allowed an asterisk and a caret). So I had to come up with one more password (alphanumeric) to use for this group of accounts.
In the end I managed to change the vast majority of my passwords and only about half a dozen are still using old ones. I am glad to be done with it now and I have this vague idea about some sort of utopian solution where all websites that have user accounts share the same standardised system for creating an account, logging in, changing password, logging out, and deleting an account.