This Story Probably Won’t Make You Change Your Passwords

Rob Pegoraro
Tech Columnist
August 12, 2014

(Photo: Rob Pegoraro)

What’s a three-word formula for procrastination? “Change your passwords.”

We were told that back in April, when the Heartbleed vulnerability led to widespread calls to change all our passwords — except for the ones that didn’t need changing. We’re now hearing it again after Hold Security’s vague report of the theft of 1.2 billion logins by “CyberVor” Russian criminals.

Not long after Heartbleed, a flaw that could allow attackers to steal logins from thousands of allegedly secure websites, my colleague Rafe Needleman suggested that we schedule a holiday just to change our passwords.

Maybe that would make a difference? Because, so far, not much else has.

A password-manager site’s users: Meh
You might think people who already trust a password-manager service like Dashlane to save logins too complex for mere human memory would be among the first to swap out their passwords. But you’d be wrong. Only 29 percent of Dashlane’s stored passwords were changed in the month after Heartbleed broke, marketing manager Ryan Merchant reported.

That represented a significant increase from the 21 percent of Dashlane passwords changed in the prior month, but nowhere near the “Change all the passwords!” sermons being delivered at the time.

What about CyberVor? Merchant wrote that 17 percent of passwords stored with the New York- and Paris-based firm were changed in the five days after that report, versus 21 percent in the five days after Heartbleed’s appearance.

Another password-management service, Personal, couldn’t tell me how many of its passwords were changed, because it doesn’t track how and when its users change their data at all. But the founder of this D.C.-based firm, Shane Green, had a pretty good hunch about how many of his customers had bothered: very few.

“Sites don’t make it easy or consistent for users to reset passwords,” Green wrote in an email. “As someone who does change passwords regularly, it takes way too much effort.”

Don’t panic
Going in and resetting every password every time you see another report of a widespread data breach might not be such a good idea anyway, especially if your haste leads you to pick passwords that are too short or too easily guessed. (Meanwhile, picking a strong password is getting even harder; the bad guys are catching up to the tactic of stringing together unrelated words, as Ars Technica’s Dan Goodin noted Sunday.)

And what if the data-breach report itself has holes? Hold Security’s claims have received a skeptical hearing, thanks to its failure to offer even hints about what companies or services were involved, not to mention Hold’s intention to charge people for access to the data. 

Companies can sign up for a notification service starting at $120 a year, but Hold’s site doesn’t say what its personal identity-protection service would cost. Forgive me if that sales pitch doesn’t have me breathless with anticipation.

My old Washington Post colleague Brian Krebs vouched for Hold’s methods in a blog post (as you might expect, since he and founder Alex Holden have worked together before), but he doesn’t have much company at the moment. Veteran cryptographer Bruce Schneier’s conclusion: “This story is getting squirrelier and squirrelier.”

Hold Security’s hometown paper, the Milwaukee Journal Sentinel, caught Holden saying he had earned an engineering degree when he did not graduate. Reporters Rick Romell and Bill Glauber spoke to two security consultants who questioned Holden’s marketing as “suspicious” or “confrontational.”

Hold Security didn’t respond to a query sent through its website Sunday.

What you should do
Schneier’s post ended with an observation about the absence of “massive fraud or theft.” For that matter, Heartbleed has yet to uncork a flood of account hijackings five months after its public discovery.

To me, the best explanation for that lies in a word Schneier is fond of throwing around: resilience. The Internet keeps working because parts of it can break without taking others offline, courtesy of both its basic architecture and the diversity of software on it.

You can and should put that principle to work in your own online life. Here’s a three-step process for doing that:

1. Identify the accounts you can least afford to see compromised: the email account that helps you log in to other sites (where your password recovery emails are likely to be sent), and the social-media account that people trust to be the real, offline you. 

They’re the most tempting targets for an attacker, because each can enable so much other theft. Turn on two-step verification — where you vouch for a login by entering a one-time code sent as a text message or computed automatically by an app on your phone — and a password compromise alone won’t be able to capture those accounts.

RELATED: A Cheat Sheet For Securing Your Accounts with Two-Step Verification

If a mail service — say, the one provided by your Internet provider — doesn’t offer that option, then it’s time to consider making a switch. Two-step verification will do far more to protect you than crafting a complex password.

2. Spread your business around. Intentionally balkanizing your online and financial services does create more work for you — here’s where using a password manager like Dashlane, LastPass, or Personal’s Fill It helps — but it also lowers the potential damage from having any one account compromised.

In that respect, I’m glad Facebook gave up on trying to replace email: It makes the site less of a single point of failure.

3. Try to reduce the amount of data at risk at any one site. You can do some of this yourself — do you really need to have your credit card stored at so many online retailers? But you’ll probably have to wait and hope that the sites you use on a regular basis will drop the habit of storing all the data they possibly can about you, on the off chance it might come in handy one day. 

We, in turn, will have to trust some sites to build detailed profiles of our usage so that they can spot a suspicious login in time, just as we trust credit-card companies to spot sketchy transactions today. There’s sadly no other way, not least when we can’t count on users to pick good passwords or to activate two-step verification.

If all of this looks like a recipe for muddling through: Yes, it is. Muddling through got the Internet off the ground in the first place. It also got us through the Year 2000 bug, and it isn’t yet exhausted as a formula for keeping the online world working, more or less.

Email Rob at; follow him on Twitter at @robpegoraro.