A random thought in a random sort of randomly way that is more random than a computer’s random number generator.
There is a lot of fuss about the heartbleed exploit that has, for the past two years made it possible for anyone who knew about it, to read any secure communications sent over otherwise thought to be secure websites.
However, whenever a hack of passwords or whatevers takes place we are exhorted to change our passwords. Today, the porn to food photos service Tumbler suggested people take the day off work and change ALL their passwords, everywhere.
The thing is, just how easy is that to do?
Despite a general reluctance to leave digital droppings without cleaning them up afterwards, I have usernames and passwords all over the place.
When Adobe was hacked recently, I received an email from them, even though I have no recollection of ever opening an account. So how would I have known to change that password when I don’t even know I have an account there?
Likewise, I am job hunting at the moment, and it is baffling, and deeply frustrating at how many companies require me to create a user account, just to be able to send them a copy of my CV. I am opening dozens of accounts all over the place that I will never use again.
So, here is the random suggestion.
Right now, for me to reset my password on, for example, 100 websites does indeed mean taking a day off work, trawling through years of emails to see where I have accounts, and manually resetting all those website details.
What if there were an industry standard for website password change services to accept a remotely triggered request from an authorised service?
So I go to a “give me all my accounts” webservice, and it pings my email address to every single website that supports that facility, and into my email box arrives an email with a long list of websites that replied with “yes, this email address has an account with us”.
Or something similar.
It doesn’t change the passwords, it just gives me a list of services where I have a password.
Not foolproof, and yes, miscreants will find ways to abuse it, as they do with everything eventually.
But it would make it a lot easier to ensure that I do indeed change all my passwords, or more likely look at the list and tell half of them to remove my details as I never use their service. And that is a good thing in itself.
I run a few websites, and regularly delete dead account data. If, or more likely, when, my websites are hacked, I don’t want to be contacting people who last logged in 5 years ago to tell them I lost their passwords. It’s embarrassing enough with the active customer base, let alone dealing with long since former customers who probably forgot I even exist..
So, there you are — a random thought that a) companies should delete dead account data, and b) wouldn’t some universal reset all my passwords ping service be a damn useful thing?
Incidentally, I use LastPass to store passwords in my computer, and every account I open now uses a random password that I don’t bother remembering any more. In fact, I have no idea what the password is for the vast majority of websites I have used/reset in the past 6 months.
Of course, that is then a single point of failure, which I really don’t like, and if it goes down I need to reset all my passwords.
So, that password reset ping service would come in really handy on that day!