Changing Passwords After a Breach Is Still Way Too Hard
More people would use unique passwords if sites would play nice with password managers.
Yahoo's announcement earlier this week that 500 million user accounts were compromised inspired another prolonged sigh, at a time when data breaches are so commonplace they sometimes seem like background noise.
According to the company, a "state-sponsored actor" was responsible for the breach, which exposed "names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers." The notification also came a month after a hacker known as "Peace" posted to a cybercrime forum claiming to have data from 200 million Yahoo accounts for sale.
Security experts have repeatedly offered sound advice after such breaches: Never reuse passwords and start using a password manager, which generates unique passwords for each login and stores them in one encrypted file protected by a single, strong "master" password. But one thing that remains unnecessarily frustrating about this setup is the crucial post-breach task of identifying and changing a potentially compromised password.
If, like me, you're someone who uses a password manager (and you really, really should look into it if you're not) you've probably noticed just how annoying it is to do this. Since all of your passwords are stored in one encrypted file, a data breach anywhere requires you to not only go to the affected site and change your password, but also update your password file with the new password for that login.
Specifically, that means you have to:
- Get notified when a breach occurs
- Go to the site and initiate a password reset
- Open your password manager and generate a new random password for that site
- Copy the new password into the site's password reset form
- Save the new login information in your password manager
This is all worth it in the end, because it means you can easily login to any site or app with one or two clicks without having to remember any of the actual usernames or passwords (usually through a browser extension that automatically fills them in).
But every time I introduce people to password managers (I help train local activists and community organizers in computer security in my spare time), this vigilant process of constantly generating new, unique passwords is always the biggest hurdle to convincing them to adopt the password manager lifestyle.
A big part of it is the fact that no password manager has a really effective system for notifying and responding to data breaches. 1Password's Watchtower, which was initially created to handle the infamous Heartbleed vulnerability in 2014, is supposed to notify you when a site you have saved in your password vault is at risk. But in my 2 years of using it I've never gotten a single notification, despite being affected by plenty of breaches.
Even if you are notified, updating your password using a password manager is still a pretty clunky experience. Most password managers have browser extensions that auto-detect when you're entering login information into a form, and offer to save it to a new or existing entry in your password manager's vault.
But the password reset forms on most sites are formatted differently than their login screens, and as a result you often end up with multiple password entries for the same site or app. Then, the next time you go to auto-fill your login information, the password manager will often wind up entering your old password instead of the new one—unless you manually go into your password vault and modify or delete the duplicate entries. Even more irritating, sites like Google have separate screens for entering a username and password, making password managers' auto-fill process unnecessarily arduous.
To be totally clear, none of this should convince you not to use a password manager. The inconvenience of having to do occasional maintenance in the aftermath of a breach is far preferable to putting yourself at risk by using the same password everywhere.
But in a world where data breaches happen practically every week, websites and developers should work together on making the password-changing process as painless as humanly possible for people who use password managers. Sites could adhere to a password manager-friendly template for their login and password reset screens, so that password manager apps could more easily point compromised users to those forms and securely record the new password inside their password file.
The integration wouldn't be easy or cheap, but users have a lot to gain from using password managers—and they deserve better.