What's an efficient way to change my 200+ account passwords?

passwords password-management lastpass heartbleed
25,932

Solution 1

Honestly, there is none. Not unless they offer an API where you can do remote management on your accounts. Pick and choose. Which ones are the highest priority. Bank for example you should change. Forums and other media sites could be ranked lower and changed on a need basis.

PS: I also think people are blowing this heartbleed way out of proportion.

Solution 2

I'm curious what kind of answer you expect to get... A piece of software that cascades password changes over various protocols, sites, procedures, etc.? I'll bite my tongue on my opinion of the cost/benefit of actually changing all those passwords, considering any one of them could be cracked in a reasonable time frame, regardless if they are compromised. Instead, I'll recommend you gather contact information for each of these sites and services. Then send an e-mail to all of them requesting your password reset or to re-establish a new password on next login. I don't see any other shortcuts here.

Solution 3

Since your question probably doesn't lend itself to an easy answer, I would propose that you change the passwords of websites based on how vulnerable they make you (loss of money, loss of privacy, loss of reputation, etc.)

Solution 4

I will probably:

  • review the list for sites storing truly sensitive information
  • change those as soon as it seems clear the site is ready for that
  • change the remainder the next time I use the site or if the site requests/forces a change.

This means some of them will never be changed, because I will never use the site again, and that's the source of the efficiency gain over doing them all now. In fact this might eventually provoke a clear-up of pointless accounts. In the context of doing that, changing passwords isn't such a big operation.

I think (although I am not sure) that if I very infrequently use a site then there's relatively little chance of my password on that site having being compromised due to heartbleed. Hence the preference for sites I actually use.

The main danger of that guess being wrong is if it turns out that heartbleed has been actively exploited for a long time. Then there is plenty of opportunity for masses of passwords to have been compromised either directly via heartbleed, or by the use of private keys or admin credentials from heartbleed.

[Edit: it's starting to look like maybe heartbleed has been exploited by the NSA for about as long as it has existed. Will have to wait for more information on that, but in any case I'm not as concerned by the NSA having my passwords as you might expect. If the NSA wants my passwords then it has them, heartbleed is one of only many means by which they might acquire them. If they've had them for two years then another month until I find time to change a bunch of low-value accounts won't make a difference.]

The main danger of delaying the password change is that somebody might already have my password, but either hasn't got around to pulling it out of the GB of data they obtained using heartbleed, or else hasn't got around to using it yet. Hence the preference for more sensitive systems.

Solution 5

It's questionable if this would actually take less work, but if you're at all handy with Javascript, you could write yourself some sort of mini-API that (once on the correct page) seeked out the correct fields and changed them for you:

https://stackoverflow.com/questions/257255/generic-way-to-fill-out-a-form-in-javascript

The upshot of this is once completed you'd have an easy go to for future changes. The downside is literally everything else about it.

Share:
25,932

Related videos on Youtube

Murray Furtado
Author by

Murray Furtado

Hello, world! I enjoy using my experience to help others. That is why I am active at a number of other sites in the StackExchange network on topics that interest me. I'm something of a Swiss army knife both professionally and in private, able to juggle a wild variety of things at once. I've worked in every kind of business that uses software. I'm also very good with tools, both IT and mechanic. Whether you need software design or assembling some IKEA furniture, I'm your man for the job. I'm generally soft-spoken but driven by clear principles. I'm a twin, I've lived in five countries, I speak four languages fluently and two more embarrassingly. Also, being a father routinely develops my patience which is useful for moderating on StackExchange too. To learn more about me, see my Google+ profile.

Updated on September 18, 2022

Comments

  • Murray Furtado
    Murray Furtado almost 2 years

    I have a lot of online accounts, web services, and so on -- personal as well as business -- so obviously(?) I use a password manager to handle them all. Specifically I use Lastpass but my question applies to any and all:

    Given the Heartbleed problem and related questions, even if I wanted to change all my passwords (and shouldn't we all be doing that at regular intervals??), how in the world can I change so many passwords in an efficient manner?

    If I have to visit each service and site individually and change the PW manually, it's clear that it will take a weekend of dedicated work ... password security is good and all but that's just not practical.

    Update: I just used Lastpass's "security challenge" which reports that I have 274 sites and a security score over 83%. Several intranet sites at work reuse the same pw which significantly lowers my score. All my Internet accounts score above 92%.

    • MonkeyZeus
      MonkeyZeus about 10 years
      Please read this fine literature before changing all your passwords: security.stackexchange.com/questions/55283/…
    • MonkeyZeus
      MonkeyZeus about 10 years
      I'm glad you enjoyed my humor :) but in all seriousness there is no easy way out. And I think you may have missed the main point of my link which is this section: Changing passwords on a site that is/was vulnerable to Heartbleed is only effective after
    • unor
      unor about 10 years
      Referencing this question on Information Security: API to change passwords?
    • Lie Ryan
      Lie Ryan about 10 years
      good thing that we're now moving on to OpenID/OpenAuth based signon. All you need is just change the password for the identity provider and the rest is on the individual websites. Also, do note that it's only worth it to change password for sites that have already updated their OpenSSL library; probably a good number of those 200 websites you have never makes any updates on their system even in the face of Heartbleed.
    • Sam
      Sam about 10 years
      it will probably take a weekend of dedicated work.
    • JFA
      JFA about 10 years
      Congratulations on being the one user that actually uses different passwords for each different service.
    • Murray Furtado
      Murray Furtado about 10 years
      @JFA hah, thanks! :-) It's like being chased by a bear, I guess: I don't have to outrun the bear, it's enough if I outrun my buddy!
    • CMCDragonkai
      CMCDragonkai about 9 years
      Dashlane can apparently do this as a service.
  • Admin
    Admin about 10 years
    Are you really sure it's a good idea to trust strangers working for MTurk to change your passwords ?
  • Nzall
    Nzall about 10 years
    A lot of websites likely will send a reply back stating "If you wish to reset your password, please click on the following link: password reset link".
  • Quora Feans
    Quora Feans about 10 years
    I can only construe this as a joke, which should go in the comments session in worst case.
  • Michael
    Michael about 10 years
    And then any time any of those sites makes any kind of change to the page in question your script will likely break... :-(
  • Murray Furtado
    Murray Furtado about 10 years
    @Michael, not necessarily. Scripts like SuperGenPass do just that and are both very generic and very successful. It would actually be a useful companion tool once I start changing site passwords. It would be a dead-simple way to have long and unique passwords. Natch, most password managers have something like this but not as one-click easy.
  • Raystafarian
    Raystafarian about 10 years
    The downside seems pretty steep when you put it that way...
  • Michael
    Michael about 10 years
    @TorbenGundtofte-Bruun SuperGenPass appears to use a technique I did manually years ago before I had a keychain: I would take the web site name and run a secret transform in my head to create my password. This abruptly bit me when a site I bought stuff from got bought by a different site (thereby changing its name).
  • Lionize
    Lionize about 10 years
    12 seconds per site sounds optimistic to me even opening every password-change page in tabs. But the principle seems right, this probably is the most efficient way to visit all the sites and change the passwords.
  • krowe
    krowe about 10 years
    LOL, why not skip the middle man and just send your PW manager DB straight to the Russian mob (or some other equally reputable group). On par with advice you'd expect to receive from a guy wearing a DOC jumpsuit.
  • slhck
    slhck about 10 years
    Comments have been purged. Super User is not a discussion forum—comments should be used to ask for clarification (which should later be addressed in the answer) or point out issues in a post. If you want to talk about Heartbleed, Super User Chat would be the best place. Thanks.
  • Deliss
    Deliss about 10 years
    ^ @slhck I suggest they discuss it in a special room for IT Security or suchlike, to avoid overwhelming the regular room. Can you post a link to suitable room?
  • slhck
    slhck about 10 years
    @smci I believe that our main room is actually well suited for that kind of discussion. We usually don't enforce any topics. Information Security also have a chat room.
  • Sandy Gifford
    Sandy Gifford about 10 years
    @Michael I did the same thing, I stopped because I'd have a miniature stroke every time I'd have to reset my password and pick a new one. Anyway, to address what you said earlier: yes, super steep downside, and no, I wouldn't ever have this be the chosen answer; I felt that it was worth leaving here as an alternate solution for any of the braver super users who happened across the question.
  • BillR
    BillR about 5 years
    As do many other password managers 3 or 5 years after the original post in 2014, including LastPass mentioned in the original post.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Import passwords from lastpass to keepassx
What can I do when I have forgotten my LastPass Master Password?
Ubuntu in VMware - not able to enter password to login
How to configure automatic password handling for git commands:
Old password is retained by Google Chrome password manager when changing password for site, because it assigns passwords to exact URLs
Where does Dashlane store it's passwords data file?
Is it secure to save your passwords in Brave?
What's the best way to get a stored POP3 password out of Outlook 2007?
How are SQL server management studio passwords saved?
Linux: "Password reset by root is not supported"...so how do I reset passwords?