During the last few weeks I changed my password on over 600 websites. It took a long time. It was not fun. But I did make some observations along the way.
First, if you need to change your password on a bunch of websites save yourself a lot of time and trouble by resetting your password with the “forgot my password” link. This works pretty much the same way on most websites (unlike the password changing process, which may not even exist). It’s faster, even accounting for the short wait for the reset email to arrive. (These transactional emails typically come quickly and avoid the spam bucket.) And it doesn’t require a clipboard juggling act with your current and new passwords.
Some sites have a secret length limit which they quietly enforce. So you enter a longer password and it accepts it, and quietly truncates it for you. Now you don’t really know your password.
Most sites where you’re keeping money enforce terrible password rules. They require passwords to be very short and use very specific combos of upper, lower, and special characters, which only serve to reduce the search space, even if they mean well. It’s unfortunate, but at least they almost always require (instead of simply offering) some form of two-factor authentication. It’s normally SMS-based, but let’s not go down that particular rabbit hole right now.
One more thing about requiring short passwords. It’s a bit of a red flag. Length limits on passwords says something about their hashing procedure. When you run into this make sure you’re using whatever TFA they offer. There are still some sites that email your password instead of a link to reset it. If they have your password in plaintext (and are willing to email it) consider the whole thing to be insecure.
Another secret password rule – a lot of sites can’t handle a password where the first character is anything other than a letter, and they hardly ever mention this. You might as well get in the habit of making sure the first character in all of your new passwords is a letter. If you’re following all the rules they list and it won’t accept your change this is probably why.
A lot of sites have a messaging saying they require some special characters like @, #, $, and &. You’ll get used to that message and just see it without really having to read it. Then your password will get rejected and you’ll scan back through the rules. Length, upper, lower, specials… yeah, got all that. Ah, this time it said NO special characters. [shakes fist]
It’s very rare, but I’ve run into some sites that will allow you to reset your password using your previous password. At one point Gmail did this but I’m not sure if that’s still the case. So if by chance your entire password vault has been compromised you might want to change some passwords twice.
Password hints suck. If you’re required to set them treat them just as you do passwords – make them random and different for every site. My favorite book is Snowcrash. Oh no, was I supposed to keep that secret?
One of the single most egregious behaviors I’ve run into comes to us courtesy of treasurydirect.gov. They bring us next level stupid, anti-user behavior. They disable pasting in the password field AND require you to enter your password with your mouse using their virtual keyboard. Such garbage. It essentially forces users to choose short, simple passwords. But just to make it more user friendly passwords are not case-sensitive!
I’m down to just a couple of hundred passwords left to change. This is ridiculous. This needs to be fixed.