Password Follies

Buadhai

macrumors regular
Jan 15, 2018
105
42
0
70
Korat, Thailand
www.mgnewman.com
1Password keeps nagging me about the fact that they have detected over 900 passwords and websites that need my attention:

Screenshot 2019-08-21 06.30.37.jpg

I find this task to be tedious, boring and incredibly maddening. How did the IT world let us get into this mess in the first place?

I only have sufficient patience to work on this for about an hour at a time and no more than once a week. This morning I spent an hour and only managed to clear about ten problems. If I continue to do ten per week (not likely) it will take me nearly two years to finish.

The problems that crop up are wondrously varied. In some cases the 1Password entry is outdated and when I attempt to change the password the website informs me that I've entered the wrong "old" password. Sometimes I can find the correct old password in my Keychain. I try to be diligent in keeping 1Password up to date when I use a Safari suggested password, but clearly I have not been diligent enough. In come cases I have to go through the tedious and failure-prone "lost password" procedure.

Sometimes the website presents one of those confusing captcha puzzles. These baffle me. Is the pole which supports a traffic signal part of the signal? Is that scrap of white at the corner of the square part of the pedestrian crossing or just a photographic artifact? I usually require multiple attempts to solve the captcha puzzle. (I've never been much good at puzzles.)

In other cases the Safari generated password is insufficiently complex. For example, my web hosting company rejected the following:

byrrEj-fyrvah-docfy7

I feel comfortable posting it here because I didn't use it and hope that Safari will not generate this same password for someone else. In this case I ended up using 1Password's password generator to create a password that is 22 characters long. It had to be that big for the website to accept it.

In some cases the subject website is long gone so I can safely just delete the 1Password entry. (Remember Northwest Airlines?)

On the Bombich Software page (Carbon Copy Cloner) I logged in with the password copied from my Keychain. But, when I went to the change password page it told me that my "old" password was wrong. How could it be right when I logged in but wrong when I want to change my password? I've submitted a support request.

On the Divers Alert Network (DAN) page I searched high and low for the password change section. Never found it. I sent email asking where it is. The sent back, by email, a link that is six lines long. They introduce it with: "Thank you for informing us that you have forgotten your DAN World Member Portal password." Well, I didn't forget it, did I? So, it appears DAN has no way to change your password online unless you write to them and tell them you forgot it. Amazing.

I've written this mainly to vent my frustration. I feel better now.
 

LizKat

macrumors 603
Aug 5, 2004
5,266
28,942
0
Catskill Mountains
i can tack in one that almost launched me to the moon.. Some quilter's mag site that when I signed up for an account, just required an email address and said i'd get an activation letter.

So that came to the email address and i opened it and it welcomed me and said here is your password, welcome aboard.

So i figure ok i'll log in and then change the pass, and i get there and log in and there's no way to change the pass. So i write them a letter and complain there's no way to change the pass and i want it changed so it's secure, how to do that, they mail me a phone number, i call it, explain the issue, he says no problem do you want to pick a pass i'll set it up for you, i said ok and spelled one out and he said ok you're good have a nice day

i hang up and sign into the account and it works so i figure ok i'm good, next time i open my mail there's a letter from them confirming my new password in the clear.
 

LizKat

macrumors 603
Aug 5, 2004
5,266
28,942
0
Catskill Mountains
well do a little prioritizing if you haven't already, to cut down on the tedium

Just focus at first on fixing any that are still vulnerable or duplicated that are linked to any credit cards or personal / financial data.

most of us have some setups that just required an email and password and that's all they got, so they're not much of a priority -- unless they duplicate a password used elsewhere that's on a more sensitive setup.
 

Buadhai

macrumors regular
Jan 15, 2018
105
42
0
70
Korat, Thailand
www.mgnewman.com
well do a little prioritizing if you haven't already, to cut down on the tedium


Yeah, that's what I'm doing.It's still tedious. Of course many of these passwords date back to the 90s when I was so clever to choose unguessable passwords and then using them over and over again. As soon as one site was compromised the whole collection was out there for the taking. I long ago beefed up currently used important places like shopping sites, financial institutions, etc. But, there's still hundreds out there that need real attention.
 
  • Like
Reactions: LizKat

Buadhai

macrumors regular
Jan 15, 2018
105
42
0
70
Korat, Thailand
www.mgnewman.com
Another folly:

Bombich (Carbon Copy Cloner) support suggested that since I couldn't change my password on their site I should use the "forgot password" procedure. I did that and used the Safari suggested password. I told Safari to replace the existing password with the new one. Then I went in to the Keychain to copy the new password so I could paste it into 1Password. But, it wasn't there! Safari failed to update the Keychain. So, now I have no record of the new password.

It's little things like this that make the whole fix-your-passwords process an exercise in frustration.

I still can't figure out just when 1Password is able to detect that you're updating a password. Sometimes when I change a password both 1Password and the Keychain recognize the fact and ask me if I want to update the current entry or add a new one. But, sometimes 1Password seems oblivious. And, as the Bombich Incident shows, sometimes the Keychain doesn't get updated and there's no way to find out just what password Safari suggested.
 

Mr. Heckles

macrumors 6502
Mar 20, 2018
412
415
0
Around
1Password keeps nagging me about the fact that they have detected over 900 passwords and websites that need my attention:


I find this task to be tedious, boring and incredibly maddening. How did the IT world let us get into this mess in the first place?

I only have sufficient patience to work on this for about an hour at a time and no more than once a week. This morning I spent an hour and only managed to clear about ten problems. If I continue to do ten per week (not likely) it will take me nearly two years to finish.

The problems that crop up are wondrously varied. In some cases the 1Password entry is outdated and when I attempt to change the password the website informs me that I've entered the wrong "old" password. Sometimes I can find the correct old password in my Keychain. I try to be diligent in keeping 1Password up to date when I use a Safari suggested password, but clearly I have not been diligent enough. In come cases I have to go through the tedious and failure-prone "lost password" procedure.

Sometimes the website presents one of those confusing captcha puzzles. These baffle me. Is the pole which supports a traffic signal part of the signal? Is that scrap of white at the corner of the square part of the pedestrian crossing or just a photographic artifact? I usually require multiple attempts to solve the captcha puzzle. (I've never been much good at puzzles.)

In other cases the Safari generated password is insufficiently complex. For example, my web hosting company rejected the following:

byrrEj-fyrvah-docfy7

I feel comfortable posting it here because I didn't use it and hope that Safari will not generate this same password for someone else. In this case I ended up using 1Password's password generator to create a password that is 22 characters long. It had to be that big for the website to accept it.

In some cases the subject website is long gone so I can safely just delete the 1Password entry. (Remember Northwest Airlines?)

On the Bombich Software page (Carbon Copy Cloner) I logged in with the password copied from my Keychain. But, when I went to the change password page it told me that my "old" password was wrong. How could it be right when I logged in but wrong when I want to change my password? I've submitted a support request.

On the Divers Alert Network (DAN) page I searched high and low for the password change section. Never found it. I sent email asking where it is. The sent back, by email, a link that is six lines long. They introduce it with: "Thank you for informing us that you have forgotten your DAN World Member Portal password." Well, I didn't forget it, did I? So, it appears DAN has no way to change your password online unless you write to them and tell them you forgot it. Amazing.

I've written this mainly to vent my frustration. I feel better now.
You can disable Watchtower.

Also, why are you ignoring compromised logins?