Late Thursday night, I turned my production desktop and credit card access to my 16-year-old son, so he could order up some entertainment for himself and a group of friends over the weekend. “Dad,” he said as he fired off Chrome to take care of that business, “Norton says you urgently need to change some passwords. And your overall security rating is only 61%.” Chastened by his remarks, I realized I’d been ignoring the safety checks now built into Norton 360 (which I keep using on my production PC because it’s got all my accounts and passwords in its Password Manager facility). Chrome and Firefox will also happily perform password checks on age and strength. They can (as does Norton) also report when known breaches at certain websites or account holders raise the likelihood that an account/password combination is compromised. A quick inspection across those facilities revealed some pretty grim statistics:
+ Of my 381 accounts, over 150 were classed as “old.” That means accounts with passwords that hadn’t been changed in 12 months or more.
+ Of those accounts, a similar number were classed as having “weak” passwords — which means lacking in length, complexity, or a good mix of upper/lower case, numeric, and “special” characters
+ Over 200 showed up as “Duplicate” entries, which means they use passwords that other accounts use as well. Ouch! A definite security no-no, and one that’s proving hard to fix.
+ As many as half-a-dozen accounts reported “potential compromise” owing to security breaches at associated websites or operating companies.
Doing the Password Change Drill
Most of getting right with security means changing passwords for accounts with old, duplicated, or weak passwords. It should be an easy thing to do, but often, it’s not. Many — if not a majority, then close — websites or logins require a reset through the email associated with the account (or a 6-plus digit one-time numeric code sent to an affiliated cellphone). When email is involved, the wait time for reset messages varies from seconds to hours (or longer, in a few cases), depending on the site or service operator’s timing in sending a reset message off. In a frustratingly large number of cases, the reset message never arrived. I started getting pretty ruthless — especially for some sites that informed me I had to call in to handle a password reset by phone because of too many failed attempts (maddening, after a first try) — about canceling accounts I decided I didn’t want any more, or wasn’t likely to use again.
Then, there’s the interesting issue of Norton’s Password Manager in light of Chrome and Firefox also including similar facilities. More than once, I figured out that I’d updated a password in one or both browsers, but not in Norton, and had to work through a laborious manual synchronization process. Then there are password formulation rules, which vary from site to site. This occasionally caused issues with using password generation because those passwords either used special characters the site couldn’t handle, or required specialized characters the site required but the randomly generated password didn’t include. Too many times, I had to fiddle around with randomly generated passwords to get them to work by repeated trial and error against various manipulations. Sigh.
By the time I was done enough to call it a day yesterday, I had put over 6 hours into the cleanup effort. I’ve still got some work left to go (mostly to delete remaining duplicates). But I also keep stuff in Norton Password Manager that it doesn’t like — such as logins for local private IP address entities including my cable modem, a wireless access point, my networked printers, Xbox, and more. These cannot be compromised unless somebody takes up presence on my LAN, which means I don’t worry about them all that much. If somebody’s already in my house working on one of my PCs (or using one of theirs on premises) I’ve got bigger problems than password security (unless they’re doing so with my permission and consent, in which case I’m also watching what they’re doing quite closely). There are also some accounts I’m still having trouble accessing: I’ll give my reset efforts another day or two, then delete them. If I can’t access them, I don’t need to keep their account, password, and other info around, either.
An Occasional, But Necessary Chore
Given the importance of our online lives nowadays, I’d have to assert that this kind of cleanup and review is an occasional necessity. Norton seems to think that once a year is pretty much mandatory. I’m inclined to agree that yearly clean-up is as far as any of us should let things go. Then it’s high time to check what’s what, and to change those things — such as duplicated, weak, or possibly compromised credentials — that could indeed cause trouble rather easily. ‘Nuff said, except: “Please! Go and do likewise when you have time. Don’t wait too long, either.”
Author: Ed Tittel
Ed Tittel is a 30-plus-year computer industry veteran. He’s a Princeton and multiple University of Texas graduate who’s worked in IT since 1981 when he started his first programming job. Over the past three decades he’s also worked as a manager, technical evangelist, consultant, trainer, and an expert witness. See his professional bio for all the details.