Which Passwords Should You Change?

I was talking to someone who consults to Cadence on various aspects of security. He told me not to use his name...must be for security reasons.

He had been reading some of my posts on passwords, in particular:

• Passwords: How Even Your Bank Doesn't Know Your PIN
• Passwords: Just Add Salt
• Passwords and Multi-Factor Authentication

He suggested that it would be a great post to write about which passwords you should care about.

Choosing and Changing Passwords

Almost everyone takes a similar approach to passwords. You split the sites that you visit into two groups: the ones that matter, and the ones that you don't care about. Banks, and magazine subscriptions, are obvious examples. Here are my rules of thumb for handling passwords like this.

For the passwords that don't matter, use anything. You even have my permission to use the same password for all of them. I have a subscription to Netflix. If you manage to use it for free through my account in some way, then I really don't care. Treat that password as so not secret that you don't mind telling it to other people. It's potentially a problem for Netflix that there are groups of people sharing one subscription and its password, but that's not my problem.

For accounts you do care about, here is the #1 rule. You never use the same password as the one you use for the sites you don't care about. This is the single most important piece of advice in this whole post.

Why? Because if you turn on the news and hear that Netflix just lost everyone's passwords, you don't want to have to rush around and change a whole lot of (or even any) important passwords. I just picked Netflix as an example, since as far as I know Netflix security is world-class. But even companies "who should know better" get compromised sometimes. Facebook last year was found to be storing some passwords in the clear, which is as big a no-no as exists in the password world. If you read the posts that I linked to at the start of this post, you will know that even if a big company loses the password database, the bad guys still should not be able to find out anyone's password. Their biggest opportunity is if you make your password "12345" or "password". They can try all of the common ones, which is known as "password spray". So perhaps I should have had rule #0, don't use a password like that.

The #2 rule is to use different passwords for each account that you care about. Even if you ignore rule #2, don't ignore rule #1. Even if you use the same password for your bank and your brokerage account, don't use your Netflix password or your magazine subscription password. If your bank lets your account get compromised, you already have a big problem, and it is just incrementally worse if you used the same password for your brokerage account.

Here is the comic version of why you shouldn't use the same password for a message board (XKCD's choice for something that you don't care about) and Venmo (which is an app for transferring money, which you might not know if you don't have millennium friends or children, so a password for an account that you do care about):

The #3 rule is to turn on multi-factor-authentication (MFA), sometimes called two-factor-authentication (TFA), on any important accounts. This means that in addition to using your password to log in, you need something else. The best is a special app on your phone that gives you a code, which is how Facebook works for example. Remember, you have to unlock your phone to get to the app so this is protected by the biometrics on your phone indirectly.

Second-best is that they send you a text message with a code that you have to enter. But see below when I discuss "sim swap fraud".

For the accounts that you don't care about, it may be good practice to change the passwords occasionally. But life's too short. For the accounts that you do care about, you should change them from time to time. 

So which accounts should you care about?

Financial Institutions

Financial institutions are clearly accounts that you care about. That's so cut-and-dried, I can't really think of anything else to say other than to re-emphasize rule #1, don't use the same password as one that you use for accounts you don't care about. Ever.

Email

How important is your email? You might not think you ever receive any mail that is important and sensitive enough that you really care. But here's one thing that you might not have thought of. What happens if you forget the password to one of your accounts? They often email you a link to reset your password. The issue with this is that anyone can get them to email you a reset link, since it doesn't require your password (since you only use this facility when you've forgotten your password).

If your email is compromised by a bad guy, then immediately there are many sites that can be compromised simply by resetting the password. Not to something you know, this is the bad guy, remember. So your email password is one that you care about.

Cellphone

If you have taken good advice about passwords then you will have turned on multi-factor-authentication for any accounts that matter. If you use text messaging for the second authentication, then you need to know about "sim swap fraud". For this, the bad guy goes to the phone store, gets a cheap phone, and then says that he lost his old phone. So he needs to get the new phone he is buying initialized with "his old number" aka your number. The phone store will ask him for the password on your account. So this is another password that is important, even though at first sight all that someone can do with it is pay your phone bill for you.

Social Media

What about social media? These days so much of everyone's reputation is tied up in social media, especially when "cancel culture" can result in ostracism and job loss (or not being hired). It would be bad enough to say something stupid that you get asked about in a job interview, but even worse would be if you had lost control of your social media account and you didn't even say the stupid thing. So I think social media is up there as an account you care about.

A lot of second-tier sites allow you to log on with your Google, Facebook, or Apple password (probably others too, but those are the ones I see all the time). From a security point of view, this is probably fine, since you are relying on security from some of the most security-minded companies around. From a privacy point of view, I'm not so sure. But I'm pretty much in the Scott McNealy camp (former CEO of Sun Microsystems) when he said: "You have no privacy...get over it".

Amazon and Other Stores

Any e-commerce site that has your credit card stored is potentially a site with a password that you care about. It is great that you can buy anything on Amazon with one-click. The problem is that perhaps someone else can, too. But here's how these sites make it difficult.

You may have noticed one security feature at Amazon without thinking about it too much. If you decide to add a new shipping address, perhaps to send your Dad a birthday present, Amazon will insist that you re-enter your credit card details. Even though they already know your credit card details, and that new address is not the billing address anyway. This is so that if you are a bad guy, you can't add your own address, and then use the stored credit card in the account to order expensive merchandise. Every time you add an address, the first time that you use it, you have to prove you have the credit card. After that, it will let you use the stored details since the worst that a bad guy can do is order merchandise to be shipped to one of the existing addresses.

Some other accounts, Netflix or a magazine subscription, might have your credit card details. But there a major limits on what it can be used for due to the nature of the site. I have a subscription to The Economist and I can probably renew it without entering my credit card again. Maybe even a seminar run by The Economist. But even if the bad guy knows my password he can't order, say, jewelry since The Economist doesn't deal in jewelry.

For these sorts of sites, they usually try and make it easy for you to do things when they are pretty certain it is you (they are sending it to your home address), and reluctant when you want to do something where it might be someone else.

Automatic Login, Yes or No?

Your browser will remember passwords and log you into sites automatically. My advice is not to use this for sites you care about, only for the ones you don't. It's just another weak link since if someone gets control of your computer or phone, they can use it to automatically log into accounts where they don't know the password. The only exception I make is when the login is protected by biometrics like a fingerprint or face-recognition. I was pleased to find that my bank handles this correctly, too. I changed the password to my bank, and then when I tried to log into the app on my phone, it wouldn't let me use the biometrics any more — it insisted I enter the new password to re-enable the face-recognition.

A Conundrum

To wrap up, here's something I don't understand. When you take something back to a store like Home Depot, they refund your payment to the credit card that you used to make the original purchase. And then they get you to sign one copy of the voucher and give you the other. That seems the wrong way around to me. If anyone has to sign it, then it should be Home Depot, since they are the ones "losing money" on the deal. Nobody has ever been able to tell me why this is done. After all, as far as I'm concerned Home Depot can transfer money into my credit card account any time they want...even without my signature. It's if they charge me without my agreement that I care about.

On a normal credit card transaction, if there is anything signed, then that signature is only going to get looked at if you claim that it is a fraudulent transaction and that you never signed it. I can't think of any circumstance when anyone would want to verify the signature on that refund. Home Depot might care if, for example, they thought an employee had entered the refund as part of some fraud. But they don't have my credit card to compare my signature to, so they can't tell the difference between my signing it and someone else signing it. I can, but I don't have the signed voucher...and I don't care anyway.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.