Is there any reason to change this compromised password? And if so, how?
November 22, 2013 6:35 PM   Subscribe

My "throw-away" password is in the list of those compromised by the Adobe hack. It's a common dictionary word that I use for sites that I really don't care about security on: things that I don't even understand why they should be password protected, "test-driving" sites or products where I don't intend to keep using them, and an old email account that was for a blog that I haven't updated in about four years. (And I don't use the account any more). I'm pretty unconcerned about it being compromised. Is there any reason I should worry? And if I do want to change it, is there any way to find out what all the sites are that I have used it on in the past?

The only slight concern I have is that I use a variant of this (one extra character added so it isn't just a dictionary word) on sites where I care slightly more about security. I.e. stuff I use on a regular basis, but that doesn't contain sensitive information, e.g. an Evernote account that I use only to take and store notes during academic seminars, my to-do list manager, my metafilter account, etc. Should I change that password?

I practice good password hygiene for important stuff, by the way, so please don't lecture me. I use LastPass, and have long strings of letters and numbers that don't mean anything, and never reuse passwords for things like my bank account, primary email address, etc.
posted by lollusc to Computers & Internet (8 answers total) 5 users marked this as a favorite
 
I'm glad you asked this because I am in exactly the same boat. I personally decided not to care because I can't foresee any actual harm being done. I am not an expert, though, and would be glad to hear from someone who is.
posted by Literaryhero at 6:40 PM on November 22, 2013 [1 favorite]


Best answer: Variants will be easy to guess if 80-90% of the password is the same, so yeah, change them. The thing I'd be most worried about is if your password hint is part of the adobe breach, threat actors can easily see which password hints match up to emails and usernames, so if there's any type of username/email match across sites, if you use a variant even algorithmic variant, you would be wise to change your password.
posted by Annika Cicada at 7:25 PM on November 22, 2013


You remember the Mat Honan story? I've used it as an example in presentations to lawyers about how weird and unintuitive computer security is. The thing I love about that story is how improbable the steps of the hack are -- especially the part about adding a credit card to somebody else's account.

So...how does this relate to your situation? It's probable that there's an obscure sequence of "add this email address to this system," followed by "delete that information from that system," where you can start from your compromised Adobe address and end up at an address you care about.

The question is, are you interesting enough that somebody will bother to figure out the sequence? (Where "interesting" means "famous," or "rich," or "powerful," or "outspoken," or "the NSA wants to roll you.") Only you can make that calculation, vs. the value of your time to change the passwords and make the sequence more complicated.

FWIW, I consider myself modestly tin-foil-hat, and I used to use a throwaway password for stupid accounts, the same way you apparently did. I no longer do that -- I use a unique password everywhere, save the ones I care about, and rely on Firefox to remember the ones I don't. (If Firefox forgets it for some reason, I can always recover it somehow, or ... I'll create a new account. Whatever.) But I never bothered to go back and change the old throwaway passwords. I'm vulnerable, certainly, but I'm also not very interesting. (I hope this answer doesn't change the latter fact!)
posted by spacewrench at 8:41 PM on November 22, 2013 [1 favorite]


Response by poster: Yes, my password hint is part of it, but that hint still only points to that throwaway password, so I'm not sure why that makes it worse? I've never used that password hint with a username I care about.

Good point about the variant, though. I've now gone ahead and changed that in the couple of places I can remember using it.
posted by lollusc at 9:28 PM on November 22, 2013


Response by poster: Oh wait, I get it. You mean if I use the same password hint for the straight password and for the variant. Which yes, I might well do. But as I said, I've changed the variant ones now (where I remember). Any tips on tracking down where else I might have used it?
posted by lollusc at 9:30 PM on November 22, 2013


Best answer: Try searching your email inbox for "action required to activate". It'll pull up the bog-standard account activation email you get from a lot of these throwaway sites/forums/services/etc. Also try stuff like "registration" or "confirm."
posted by Rhaomi at 9:47 PM on November 22, 2013 [1 favorite]


Best answer: LastPass has a feature that will tell you which sites have duplicate passwords, but I'm guessing that you don't have LastPass save sites that you use your throwaway password on. If for whatever reason you do, it can certainly check for you if you run the security check.
posted by zsazsa at 10:35 PM on November 22, 2013


Best answer: I would update the email account's password— just because email accounts are so often used for password resets and the like.
posted by hattifattener at 11:18 PM on November 22, 2013 [1 favorite]


« Older Should I buy my son a hookah for Christmas?   |   What are the best cities for a mid-thirties single... Newer »
This thread is closed to new comments.