I have been pwned!

Yesterday a friend came to me in a rather vehement state of frenzy because people were getting spam from his email account. A quick trip to haveibeenpwned confirmed that, indeed, his email address was listed in recently discovered breaches. Fortunately, his password had not been compromised so the damage was relatively minor. But when I checked my own “low security” password that I still use in a number of places, the test was positive. This means that a hacker could just waltz into those accounts and order ukuleles that I don’t want, or impersonate me in some forgotten forum that nevertheless still has followers (including the FBI), and get me into a heap of trouble. So I decided to change all of those passwords and get it over with. Read on if you’re curious as to what happened. The picture should give you a hint.

The first problem is that it’s hard to remember all the places where I used the compromised password. Essentially, I used it every time a merchant offered to make an account, which is handy for tracking purchases or complaining if something goes wrong with the orders. Needless to say, I always used my “junk” email address to keep them from spamming me till kingdom come (sorry, Yahoo Mail). That’s a lot of websites. Fortunately, since I didn’t care much about the security of those logins, I also allowed the Chrome built-in password manager to store them. Chrome knew about the compromise, so it didn’t take long to display a list of the tainted logins, 44 in total.

About half of these where websites that I only visited once and likely will never visit again, so they could wait for a phase two. Among the rest were logins that I use fairly frequently, so their passwords had to be changed, hopefully with something hard to guess and unique for each. But then, how can I possibly remember them again? I’m not going to write them down on a piece of paper or a text file, which is the perfect way to lose or compromise them all at once. I could entrust them to the Chrome password manager or an extra one (I use 1Password), but then again, those have failed me in the past. So I loaded SynthPass (which, I’m sure you know, I have developed), and decided to give it its chance to prove its mettle.

The process was simple: go to each website’s “change password” page, with the Chrome page showing my (compromised) saved logins available to look up any data that might be needed, and click the SynthPass icon. It only failed to find the password boxes in one or two occasions. I wrote my Master Password in the first box, plus the user ID for the website so the app would remember it (it won’t remember the password after a few minutes), and clicked the “Clip” button rather than “OK” so the generated password would copy to clipboard as well (dangerous in general, but quite handy in this particular situation where websites might not want to cooperate). All the password boxes fill with the same synthetic password for the site, so I find the Old Password box and type in the old compromised one. Occasionally a website won’t take the change unless I have actually typed in the New Password boxes, but that’s easily fixed by typing a character at the end and deleting it right after. There’s also the not-so-odd website that limits password length, easily fixed by typing the length limit into SynthPass before trying again. If I see the password change has been accepted, I allow the built-in manager and 1Password to record the change, just in case, but chances are they won’t be necessary.

The good thing is that SynthPass remembers its Master Password for five minutes of inactivity, which in my case meant that I only had to type it in at the start, and then it was filled in for all the remaining password changes of the session. For the one case where SynthPass failed to detect the password boxes, I loaded the SynthPass mobile app and typed in the website name and my Master Password in order to generate the site password and copy it to clipboard. There were a couple hiccups with websites that didn’t take the change graciously: one offered a password reset right away, the other said the change had failed, but it hadn’t. Likely, this would have happened even without involving SynthPass.

The whole thing took about 40 minutes. Now I have all those websites under a single password, through SynthPass, and any further compromises won’t affect anything else. I’ve been logging in by simply clicking the SynthPass icon, typing my Master if wasn’t already filled, and clicking OK. If in the future they force me to change the site password (unlikely for those), I only have to add a serial in SynthPass, which I won’t have to remember.

So, quite pleased overall. Quick, easy, safe, and free. What’s not to like? I use PassLok for Email for my encryption needs, but if you load PassLok Universal instead (it works on any web mail service), you get all the functionality of SynthPass as well. You may want to try it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.