This Story Probably Won’t Make You Change Your Passwords
(Photo: Rob Pegoraro)
What’s a three-word formula for procrastination? “Change your passwords.”
We were told that back in April, when the Heartbleed vulnerability led to widespread calls to change all our passwords — except for the ones that didn’t need changing. We’re now hearing it again after Hold Security’s vague report of the theft of 1.2 billion logins by “CyberVor” Russian criminals.
Not long after Heartbleed, a flaw that could allow attackers to steal logins from thousands of allegedly secure websites, my colleague Rafe Needleman suggested that we schedule a holiday just to change our passwords.
Maybe that would make a difference? Because, so far, not much else has.
A password-manager site’s users: Meh
You might think people who already trust a password-manager service like Dashlane to save logins too complex for mere human memory would be among the first to swap out their passwords. But you’d be wrong. Only 29 percent of Dashlane’s stored passwords were changed in the month after Heartbleed broke, marketing manager Ryan Merchant reported.
That represented a significant increase from the 21 percent of Dashlane passwords changed in the prior month, but nowhere near the “Change all the passwords!” sermons being delivered at the time.
What about CyberVor? Merchant wrote that 17 percent of passwords stored with the New York- and Paris-based firm were changed in the five days after that report, versus 21 percent in the five days after Heartbleed’s appearance.
Another password-management service, Personal, couldn’t tell me how many of its passwords were changed, because it doesn’t track how and when its users change their data at all. But the founder of this D.C.-based firm, Shane Green, had a pretty good hunch about how many of his customers had bothered: very few.
“Sites don’t make it easy or consistent for users to reset passwords,” Green wrote in an email. “As someone who does change passwords regularly, it takes way too much effort.”
Going in and resetting every password every time you see another report of a widespread data breach might not be such a good idea anyway, especially if your haste leads you to pick passwords that are too short or too easily guessed. (Meanwhile, picking a strong password is getting even harder; the bad guys are catching up to the tactic of stringing together unrelated words, as Ars Technica’s Dan Goodin noted Sunday.)
And what if the data-breach report itself has holes? Hold Security’s claims have received a skeptical hearing, thanks to its failure to offer even hints about what companies or services were involved, not to mention Hold’s intention to charge people for access to the data.