Taking the security challenge: Notes on reviewing and refreshing my Internet accounts

May 17, 2018

By Matthew E. Milliken
May 17, 2018

Earlier this month, Twitter announced the discovery of a bug in its security software that had caused unencrypted account passwords to be stored en masse on one of the company’s internal servers. Although there was no indication that anyone had exploited this mistake, Twitter recommended that everyone update their password.

I’d made a note on my calendar to update old passwords in mid-May anyway. So I opened up LastPass and began logging in to various services and changing passwords, Twitter among them. This is something I’ve been doing off and on for about two weeks now.

LastPass has a helpful feature called Security Challenge, and I’ve been running it regularly during my password-updating process. Security Challenge evaluates a user’s stored passwords and flags accounts that lack passwords or have passwords that are weak, duplicated (i.e., used on multiple accounts), compromised (that is, involve sites for which serious security flaws have been publicly announced) or old (ones that haven’t been changed for more than a year).

(Incidentally, I pay an annual fee to use LastPass on my computer’s web browsers and with an iPhone app; I am not a compensated endorser and have never been offered any incentives to write about LastPass.)

The service enables users to update passwords for certain websites automatically, Amazon, Facebook, Google, Twitter and Yahoo among them. I’ve never used this one-click update feature, however, because I fear that these computer-generated passwords would be impossible for me to remember.

Instead, I devise my secret phrases individually for each site. In some cases, I can remember them — or at least remember generally how they go — without any help from LastPass.

The Security Challenge breaks down results in three ways. At the top level, it assigns three percentages: The user’s overall security score, the user’s standing relative to other LastPass members and the user’s master password score. As the first number rises, the second one falls; presumably, the best standing is among the top 1 percent. The third figure is determined independently of but presumably affects the first two.

The second level is a four-step system labeled “Improve Your Score.” It goes as follows:

• Change compromised passwords.

• Change weak passwords.

• Change reused passwords.

• Change old passwords.

When you click on each step, the text expands to show a list of accounts that belong in each category. For me, three of these steps currently show a red triangle containing a white exclamation point. I don’t reuse passwords, so a green circle containing a white check mark appears next to the third step; when I expand it, I see a larger version of the check mark and the text “You have no duplicate sites!”

But I find the Security Challenge’s third and last level to be the most helpful. Detailed Stats breaks down passwords into six categories, each accessible by clicking on a tab: All, Duplicate, Compromised, Weak, Old and Blank. To the left of each label, LastPass displays either the warning triangle or the check mark. The number of passwords appears to the right of each label.

Right now, I have 114 sites; no duplicate or blank passwords; two compromised and two weak passwords (the same two accounts appear under each of these tabs); and 55 old passwords.

I’ve been chipping away at this last category. When I started, I think that I had about 80 old passwords. As I’ve gone to each site, I’ve discovered a few that either no longer exist or no longer require individual passwords. TweetDeck is an example of the latter: The platform was acquired by Twitter in 2011; late in 2013, the site and its associated applications stopped demanding that users sign in through individual TweetDeck accounts.

In one case, a website didn’t recognize my email address, so it was impossible to update my password. Either I hadn’t actually signed up for the account or the website had deleted my account for inactivity.

At any rate, I’ve been updating my passwords and expunging LastPass records for defunct sites as appropriate. There’s still a ways to go, but I’m confident that I’m more secure than I was two weeks ago, or even one week ago.

I should note that my accounts with compromised and weak passwords — again, the same pair of sites are listed under each tab — are on sites that I have not used in years and never used much to begin with. If I was concerned that any important data of mine could be obtained through these sites, I would already have updated them.

Anyway — as my Parental Unit likes to say — “That’s my story and I’m sticking to it!”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: