Changing Passwords

During the last few weeks I changed my password on over 600 websites. It took a long time. It was not fun. But I did make some observations along the way.

First, if you need to change your password on a bunch of websites save yourself a lot of time and trouble by resetting your password with the “forgot my password” link. This works pretty much the same way on most websites (unlike the password changing process, which may not even exist). It’s faster, even accounting for the short wait for the reset email to arrive. (These transactional emails typically come quickly and avoid the spam bucket.) And it doesn’t require a clipboard juggling act with your current and new passwords.

Some sites have a secret length limit which they quietly enforce. So you enter a longer password and it accepts it, and quietly truncates it for you. Now you don’t really know your password.

Most sites where you’re keeping money enforce terrible password rules. They require passwords to be very short and use very specific combos of upper, lower, and special characters, which only serve to reduce the search space, even if they mean well. It’s unfortunate, but at least they almost always require (instead of simply offering) some form of two-factor authentication. It’s normally SMS-based, but let’s not go down that particular rabbit hole right now.

One more thing about requiring short passwords. It’s a bit of a red flag. Length limits on passwords says something about their hashing procedure. When you run into this make sure you’re using whatever TFA they offer. There are still some sites that email your password instead of a link to reset it. If they have your password in plaintext (and are willing to email it) consider the whole thing to be insecure.

Another secret password rule – a lot of sites can’t handle a password where the first character is anything other than a letter, and they hardly ever mention this. You might as well get in the habit of making sure the first character in all of your new passwords is a letter. If you’re following all the rules they list and it won’t accept your change this is probably why.

If you paste in a 35 character password and get an error that says “passwords must be at least six characters” it’s too long. There’s so much bad JavaScript out there.

A lot of sites have a messaging saying they require some special characters like @, #, $, and &. You’ll get used to that message and just see it without really having to read it. Then your password will get rejected and you’ll scan back through the rules. Length, upper, lower, specials… yeah, got all that. Ah, this time it said NO special characters. [shakes fist]

If you’re signed in and changing your password most sites will require you to enter your current password, then enter your new password twice. Occasionally some monster will change the order so it’s new password twice, then your current password. Those people should be jailed, but that’s not why I brought this up. Some of these will enforce their crazy password rules on your the CURRENT password field. I guess they’re just so proud they got their little javascript working they want to put it everywhere. Yeah… So years ago when you joined and they didn’t have that rule your password was okay. But now it violates their rules and for some insane reason they are enforcing it on a field where they are asking for your current password. I wish I was making this up. There’s only one reasonable thing to do here – cancel your account and never use that site again. Alternatively, use the forgot password link which frequently bypasses this nonsense.

It’s very rare, but I’ve run into some sites that will allow you to reset your password using your previous password. At one point Gmail did this but I’m not sure if that’s still the case. So if by chance your entire password vault has been compromised you might want to change some passwords twice.

Password hints suck. If you’re required to set them treat them just as you do passwords – make them random and different for every site. My favorite book is Snowcrash. Oh no, was I supposed to keep that secret?

One of the single most egregious behaviors I’ve run into comes to us courtesy of treasurydirect.gov. They bring us next level stupid, anti-user behavior. They disable pasting in the password field AND require you to enter your password with your mouse using their virtual keyboard. Such garbage. It essentially forces users to choose short, simple passwords. But just to make it more user friendly passwords are not case-sensitive!

I’m down to just a couple of hundred passwords left to change. This is ridiculous. This needs to be fixed.