How to: change your online passwords

You do change your passwords periodically, don't you? Hmm. Well, I guess whatever level of risk of someone stealing all your data that you are comfortable with is your business. You probably spell "retirement planning" as "L-O-T-T-O" too.

I have been feeling the need to change my passwords, both at home and at work. Today, I tackled the home computer & passwords1.

Let me walk you through the steps I took.

1. Determine your password strategy

There are 2 issues here: are you going to re-use passwords? and how "strong" do your passwords have to be for you to be comfortable?

For password re-use, I use what I call "password groups." Most people re-use passwords2, I just try to be strategic about it. I'm not a computer, I can't make up a new strong password for every system and remember it. Prior to today, I had 3 groups3:

1. I have a single password that I re-use for all my "really important stuff:" this includes my online banking and offline banking (financial software).
2. I have a single password for my "fairly important" things: this includes my main email accounts (not all of them are "main" or really important) and rewards systems (especially the ones that can be used to "spend" rewards)
3. I have 1 other password for "everything else." All the emails that I use for spam capturing (I have 2), any other online registration that I use but doesn't contain much of import (e.g. eBay, Facebook, etc. - no $$ tied to these ones)

Group #1 is obviously important. But think hard about #2 too - since lots of online things resolve back to email via "forgot password" links, if someone steals #2, they might get #1. And that's why I have some email that aren't #3 - the #2s are more important.

You may need a different number of passwords. For my re-work, I'm actually going to split group #3 into 3 groups:

1. Those that have some sort of identity of mine or personal information (the email & social networking)
2. Those that don't have any information (eBay, etc.)
3. Those that are "throw-aways" - things that required registration. They get the "Spam catcher email" and they also get a password that has nothing useful attached to it4. I also use this password for existing registrations that I don't plan to use anymore, but am not going to delete the account just yet.

Basically, my new list look like this:

1. Direct link to my money or financial information
2. Indirect link to my money or other assets
3. Personal, non-public information
4. Everything else
5. Old and crappy

Good. That answers that question. But what about the passwords themselves?

I've recently done thinking on "passphrases" instead of "strong passwords." This is a method of having passwords that are harder to hack but aren't too hard to remember. Basically a password is something like "p@ssWord84" and a passphrase might be: "ThisisMyPassphraseforGroup1Banking." It's still pretty easy to remember since it's not random.

There is a whole lot of information on passphrases and how they are more secure, but the short answer is they are more secure than most passwords that people have and are hard for a computer to hack (at our current state of technology). That's my new password approach.

Note: Using passphrases can make life difficult, since some online systems don't allow for the length of passwords needed. So you may need to spend some time with some systems trying to find an adequate password length for yourself.

Oh, and this probably goes without saying but if you have a lot of passwords to change, block off a good chunk of time. This will take awhile.

2. Backup your passwords

Back up your passwords. Write them down, make a copy that you can get to, or do something before you start purging. You may miss changing one password for an application or file (if you have encrypted files) and not need it for 2 years by which time that password has long passed from memory. Make a copy and put it somewhere safe.

For myself, most of my passwords are stored in Firefox - so I made a copy of my profile5, zipped it up, and got it into my regular encrypted backup system. Done. If you store your passwords in Internet Explorer, my condolences. You could also have them in a separate file (like a spreadsheet) or there are programs that manage passwords. Each of these will be a bit different. So long as you can get to old passwords, you should be fine.

3. Create a few passwords: some backups too.

Create a few passwords. There are online tools that I use for generating strong passwords6, but I'm going with passphrases this time, so I'm not going to use these. Instead, I tried a few websites to see what lengths of passwords I might be dealing with, and then created a few passphrases. I made 7 for my 4 groups - knowing that I might have to switch them if I found an online site that didn't support a certain character or length.

Telus, for example, had this problem. Their online tool ("Online Customer Access" or "oca" for short) for internet users doesn't work with the "@" symbol. More annoyingly, it will accept your password with the "@" symbol and quietly remove it. You change your password and then it suddenly doesn't work. I figured it out while I was on the phone with tech support one day. I mentioned the problem, but now, 3 years later, it's still a problem.

Moral: make sure you immediately test your password after changing it.

4. Make a systematic list and dig in

Fortunately, in Firefox you can review all the saved passwords. Again, Internet Explorer users, my condolences. Firefox isn't all good for this though: you can't copy and paste these into another place (say to make a list to check off as you do them). I simply went 1 at a time through the list.

The point is, you somehow need a comprehensive list of:

1. All online locations with passwords
2. All computer programs with passwords.
   Usual suspects:
   1. Financial Software
   2. Email Software (if you use non web applications)
   3. Online games
   4. Backup software
   5. Blog software
3. Your Windows login password. This may be a unique one, but don't forget about changing this one (especially if you are in the habit of allowing programs to "remember you" and your passwords).
4. Your router(s)
   Most home networking routers allow for access via the web. Even if you have never changed its password, do so now7.

Now, you're ready. Just change all those passwords. If you have saved passwords (in Firefox or anything system), once changed, log back in with the new password (to test it and also to save it in your system).

Don't you feel safer now? No? Yeah, I don't feel much safer either, but it's good for you to do periodically.

References

1. "Why?" you ask. Well, I finally closed the thought loop on an open question of "password style" (passphrases vs. strong passwords) - I've got a thorough analysis of this partially written up, stay tuned. Also, it has been a really, really long time. At home especially. Some of password groups that I use I've had for over a decade. That's ridiculous and not safe.
2. Password re-use statistics: 62% of users re-use passwords for more than 1 website according to http://www.pcpro.co.uk/news/106758/password-reuse-opens-door-to-id-theft.html
3. I also have a variety of "one-off" things where I could use a pre-existing password. And my #3 passwords I mostly changed a few years ago but there are still some stragglers.
4. This is especially useful for website where I don't trust their storage of passwords - I don't the website at all and who knows how secure my password is with them.
5. The fact that a Firefox profile is just files that you can copy and move around is great for backup and move around.
6. My favorite site: http://www.pctools.com/guides/password/. I actually have a saved page with already generated passwords from this site: http://tinyurl.com/6m6w9y which is actually what I usually hit.
7. If you haven't done this (or had someone set up your network who did) you may have other potential security problems (especially if that router is wireless). While the trend with manufacturer's of home networking equipment used to be to default to less secure settings, fortunately it's less common and often setup software will prompt you to change the router's password.