My Journey with Emails and Passwords
So a while back I started getting into password managers. While I was a broke college student I was using Bitwarden. Bitwarden is an amazing free password manager and it did the job all too well. Once I got a job, however, I switched over to 1Password for better connectivity with my family's accounts (Bitwarden had a family option too but I liked 1Password's UX more). I'm not here to talk about what password manager is better or worse but I'm here to talk about my journey in updating passwords and usernames. With the whole LastPass incident running around I figured I'd just share my story.
In the beginning, like most people, I used a similar password for nearly all my websites tied to a single email. This is definitely a bad practice to follow but I didn't know much about security at the time. So I started going through my list of accounts (and oh gosh - I had so many accounts) and wanted to update the passwords.
Both BitWarden and 1Password (and I'm sure others too) have great password generators. Long string of random characters to make passwords nearly impossible to guess. They even let you pick between random passwords, memorable passwords or PIN codes:
So that's all great and dandy and off I go to update my passwords all with length 100 with a bunch random characters. Why 100? Well I counter: Why not 100? I don't need to remember any of my passwords anymore! And so there I go off updating them... Until I can't. There are some crazy login mechanisms implemented and I'll just share the list of problems I saw here:
- Some websites have a password max length (and sometimes they won't tell you what it is)
- Some websites have crazy password requirements (some special characters are allowed but not others)
- Some websites have a password max length for sign-up and a different one for login 🤯
- Some websites don't give you proper indication if a password reset worked
- Some websites have changed their password requirements over time. If I had a password with length 100 before and the new password max is now 64 then I wasn't even able to log in
- Some websites give the username + password in an HTTP response
- Some websites don't let you use the clipboard to paste passwords. However, for some websites you can check if there is an
onpasteevent. It will usually just be
onpaste="return false;"and you can just delete this from the HTML
- Some websites make you input in passwords using a digital key pad. Luckily this is also possible to get by with some HTML fiddling
I learned a lot while updating passwords. If you are responsible for your website's authentication / login flow - PLEASE test it out thoroughly from the UX side! I think I was able to figure out most things as a developer but I assume most people will be confused!
Once I updated my passwords I felt much better. 1Password's browser integration is really nice and it feels great knowing you don't have to remember any of these super long passwords. A couple years later, as I was signing into a website, I noticed that 1Password was prompting me to use Two-Factor Authentication - looking something like this:
This is taken directly off of ReadMe's blog
I looked into two factor authentication and found out that 1Password had native support for it! I was on my way to install Google Authenticator (based on the blog I was reading at the time) but that's just another medium to get through to sign in. I have nothing against Google Authenticator but, again, the native support in 1Password + the browser auto-fill is pretty convenient. So naturally I go through all my accounts again and add in two-factor authentication where possible. Not too many problems here but the biggest issue I have is with websites only using SMS-based 2FA. I have several accounts which I share with my family and getting SMS texts in the middle of the day and forwarding it to them is a hassle. I found a pretty good workaround for this later (thank you Google Voice) but initially it was a problem.
So at this point I feel pretty good. I have pretty secure passwords and added 2FA wherever I could. Several years later I started browsing a lot of Hacker News and I noticed that there were several comments about people's Google accounts randomly being disabled. I'm not going to get into specifics but that bugged me a little - especially considering I also use a Gmail account for nearly every website. After talking to my friend (he's a security engineer) he told me about email forwarding services and how he uses them to control spam and, more importantly, mask his actual email address. I thought this was a pretty great solution and the timing couldn't have been better - Apple was just announcing their Hide My Email feature. I'm a happy iCloud customer and getting unlimited email addresses was now included at no additional cost. Now this still doesn't solve the whole "oh no Google disabled my account" issue. But with Hide My Email I can easily redirect email to my Apple account if need be and that effectively solves my problem. And once again I go off updating my accounts... and of course there's a new list of problems:
- Some websites don't let you update your email
- Some websites use your email as your login and will not let you update it
- Some websites don't let you delete your account. I was doing this for very old accounts that I didn't need anymore and for websites where I thought I could re-create an account
- Some websites don't inform you if your email was updated
- Some websites allowed login with both the new email and old email
- Some websites had you "contact support" to update your email
- Some websites didn't require any extra verification to update you email address. While this is extremely convenient I personally think it's a bit concerning on the security side.
- One particular website banned the
@icloud.comdomain which was surprising
Conclusion + Final Thoughts
So, finally, after several tedious processes I was there: digitally secure... At least from the login side.
I had anonymous email addresses all being forwarded to my real email address which I could disable at any time. I had great passwords and enabled 2FA wherever I could. My logging in time for websites actually increased due to 1Password's great browser integration (disclaimer: I use Safari) and their mobile app was just as effective.
I started thinking about the conversation I had with my friend and tried to apply it to other places. Overall, my take is that having a layer of redirection between any outside entity and your personal life makes your life much more secure. In my case, Hide My Email did the job well but now I was thinking about it from other perspectives:
- For phones there are burner phone numbers you can use.
- For credit cards, there are services like Privacy which generate temporary/virtual credit cards (although I personally use a free one called Percents*)
- Some banks offer virtual account numbers
It really depends how far you want to take it! But personally I'm good with what I have done thus far.
* Shameless Plug: My Percents referral link