What's an efficient way to change my 200+ account passwords?

Question

I have a lot of online accounts, web services, and so on -- personal as well as business -- so obviously(?) I use a password manager to handle them all. Specifically I use Lastpass but my question applies to any and all:

Given the Heartbleed problem and related questions, even if I wanted to change all my passwords (and shouldn't we all be doing that at regular intervals??), how in the world can I change so many passwords in an efficient manner?

If I have to visit each service and site individually and change the PW manually, it's clear that it will take a weekend of dedicated work ... password security is good and all but that's just not practical.

_{Update: I just used Lastpass's "security challenge" which reports that I have 274 sites and a security score over 83%. Several intranet sites at work reuse the same pw which significantly lowers my score. All my Internet accounts score above 92%.}

score 61 · Accepted Answer · answered Apr 09 '14 at 19:31

Honestly, there is none. Not unless they offer an API where you can do remote management on your accounts. Pick and choose. Which ones are the highest priority. Bank for example you should change. Forums and other media sites could be ranked lower and changed on a need basis.

PS: I also think people are blowing this heartbleed way out of proportion.

score 12 · Answer 2 · answered Apr 09 '14 at 19:25

I'm curious what kind of answer you expect to get... A piece of software that cascades password changes over various protocols, sites, procedures, etc.? I'll bite my tongue on my opinion of the cost/benefit of actually changing all those passwords, considering any one of them could be cracked in a reasonable time frame, regardless if they are compromised. Instead, I'll recommend you gather contact information for each of these sites and services. Then send an e-mail to all of them requesting your password reset or to re-establish a new password on next login. I don't see any other shortcuts here.

score 11 · Answer 3 · answered Apr 10 '14 at 02:27

11

Since your question probably doesn't lend itself to an easy answer, I would propose that you change the passwords of websites based on how vulnerable they make you (loss of money, loss of privacy, loss of reputation, etc.)

answered Apr 10 '14 at 02:27

Benjamin Wade

241

Steve Jessop · Answer 4 · 2014-04-12T20:57:57.053

I will probably:

review the list for sites storing truly sensitive information
change those as soon as it seems clear the site is ready for that
change the remainder the next time I use the site or if the site requests/forces a change.

This means some of them will never be changed, because I will never use the site again, and that's the source of the efficiency gain over doing them all now. In fact this might eventually provoke a clear-up of pointless accounts. In the context of doing that, changing passwords isn't such a big operation.

I think (although I am not sure) that if I very infrequently use a site then there's relatively little chance of my password on that site having being compromised due to heartbleed. Hence the preference for sites I actually use.

The main danger of that guess being wrong is if it turns out that heartbleed has been actively exploited for a long time. Then there is plenty of opportunity for masses of passwords to have been compromised either directly via heartbleed, or by the use of private keys or admin credentials from heartbleed.

[Edit: it's starting to look like maybe heartbleed has been exploited by the NSA for about as long as it has existed. Will have to wait for more information on that, but in any case I'm not as concerned by the NSA having my passwords as you might expect. If the NSA wants my passwords then it has them, heartbleed is one of only many means by which they might acquire them. If they've had them for two years then another month until I find time to change a bunch of low-value accounts won't make a difference.]

The main danger of delaying the password change is that somebody might already have my password, but either hasn't got around to pulling it out of the GB of data they obtained using heartbleed, or else hasn't got around to using it yet. Hence the preference for more sensitive systems.

score 6 · Answer 5 · edited May 23 '17 at 12:41

It's questionable if this would actually take less work, but if you're at all handy with Javascript, you could write yourself some sort of mini-API that (once on the correct page) seeked out the correct fields and changed them for you:

https://stackoverflow.com/questions/257255/generic-way-to-fill-out-a-form-in-javascript

The upshot of this is once completed you'd have an easy go to for future changes. The downside is literally everything else about it.

BillR · Answer 6 · 2015-10-06T09:30:37.303

Specifically for LastPass since you mentioned that, you could export a ccv file and submit the sites to one of the validation tools such as the one LastPass itself offers to determine which sites are even ready to have the passwords changed.

I'm sure each of the vendors is also busy creating/considering a tool to automate something equivalent (e.g., a supplement to LP's Security Challenge).

Each password manager is going to present a different challenge. For example Dashlane does not include the ability to sort passwords by date changed, although it does have a field you can re-purpose to checkoff passwords that have been changed or that you are going to ignore.

Update (Oct 2015) - LastPass and Dashlane (the two I've tried) and some other password managers now have a procedure/form that can make changing passwords at several hundred sites as simple as checking a box (if you trust the automation; they even know that some sites exclude/require certain special characters or mandate length). Alternatively, some take you directly to the site change page via a link, suggest a new password, and record your change.

If you like, open another browser and very quickly test the new password by using the 1 to 3 click open-and-autologin/autofill procedure for that website. Just be cognizant of how and when sync occurs.

I thought this deserved an update since we have had so many more large site cracks and network and router exploits.

Quora Feans · Answer 7 · 2014-04-10T13:58:41.493

Check whether you can login with Google OpenID in some sites. That could reduce the number of passwords you need to change/manage/use.

Bookmark all 'Change password' pages and open them all in tabs together (or maybe in batches of 50). Make a script for generating a list of random passwords and copy-paste them with a copy-and-paste tool. Clean your system after doing this. Changing 50 passwords with this method won't take you more than 10 minutes, which seems a pretty reasonable time for a weekly maintenance.

Doing this, you'll change all your passwords once a month, investing 10 min. a week.

score 1 · Answer 8 · answered Apr 11 '14 at 02:10

If the systems let you connect via telnet or ssh or something similar, you could script the password changes in a relatively straightforward manner. If the password changes have to be done via a web interface, writing tooling to deal with the variations would probably be more work than it'd be worth but I'd at least try to make sure the new password was pasted in from a reliable source rather than hoping I could accurately retype it 400 times.

Federated ID systems simplify this somewhat by providing a single point to change the password for multiple systems... but of course you have to decide whether you trust those ID hubs.

NOTE: Changing passwords on a regular basis does NOT improve security as much as is commonly believed. If anything, it may encourage folks to pick inferior passwords, because picking a new good one every N months is a pain in the patootie. It only helps if you believe someone is reasonably likely to have stolen your existing password and if that password's getting out exposes something you care about or has a risk of being leveraged for rights amplification.

score 1 · Answer 9 · answered Apr 11 '14 at 07:32

I do have a proposal which sounds feasible. I never try out myself though.

use AHK (key mouse event recorders ) you do a batch of password changes , and log the session using AHK. next time you want to change password. take out the AHK script and change the password only. you only need to play the AHK script again.

I myself use different pass for different sites, unless they are all leaked out, I don't need to change them at one time.

score 1 · Answer 10 · answered Apr 17 '14 at 09:28

LastPass have heard you and posted a blog entry explaining how this can be done. And the bottom line is: you need to do it by hand site by site.

Also worth noting is that you should make sure the sites have been upgraded before changing your password.

score 0 · Answer 11 · answered Oct 09 '17 at 16:26

You can try to use Dashlane utility which includes Password Changer feature (it's free) which can change dozens of passwords in a single click.

It does the heavy-lifting of replacing old passwords with strong new ones, and secures them in Dashlane where they’re remembered and typed for you.

score -2 · Answer 12 · answered Apr 10 '14 at 02:43

Create an Amazon Mechanical Turk.
Make a list of your web sites, user names, and current passwords. Each HIT will give out one or more of these. Give rules for what the new password must consist of. Paying $0.01 per password. The user must go change the password for you, and report back the new password. This should get your passwords changed pretty quick. https://requester.mturk.com/

What's an efficient way to change my 200+ account passwords?

12 Answers12

Linked