Password Follies and Also #LFMF

So, I lost my iPad a few weeks ago, left it in the seat pocket of an airplane.

Yes, stupid Jake is stupid.

I don’t expect to get it back, although I suppose it was lucky that the plane did not continue on to another destination, effectively lessening the hands into which it could have fallen. It would be lucky that I could use Apple’s Find My iPhone service to track it, except for the fact that it was in airplane mode. Funny, right?

One good thing about that service is that it should be able to execute a remote wipe, if my iPad ever comes back online. Actually, that’s something I was looking forward to testing, when I still had a glimmer of hope that it would be returned.

Then a week passed, and the airline still hadn’t found it. Oh well.

From what I’ve read, stolen electronics like iPads are typically wiped and resold rather than mined for data; it’s an LCD transaction. Make a quick buck on a difficult to track sale vs. break into a device and sell an identity. Still, beyond that measly PIN I used to protect the iPad, there are a lot of data in there.

So, time to reset a truckload of passwords.

Luckily, I use 1Password, so I can generate new, strong passwords easily. That should be the hard part, right? Not so much.

What I discovered is that password management isn’t as uniformly secured as it should be (or as you’d expect it to be), which gives me yet another reason to recommend that you (yes, you) invest in a password manager.

OK, most services (maybe 80%) handle your password as expected, supporting special characters, at least 20 characters, etc. Most consider these attributes of strong passwords, but that’s a debate for another time.

Among the other 20%, you’ll hit variances. I found the following oddities, which I present to you as educational fodder:

1. ZOMG some companies still send passwords in clear text via email. Wish I were kidding.

2. Some systems take hours (ahem, days) to propagate password changes. While complaining about this, I was reminded that some companies send passwords via snail mail.

3. Some companies do not tell you what characters you may use in a password on their sites, but they will accept password changes containing those forbidden characters. This will lock you out of your account and lead you to several calls to customer service. And to extreme irritation.

4. Some services that allow you to use your account to login to other places (via OAuth) do not support passwords longer than 16 characters.

5. Speaking of OAuth, you better remember to revoke access to any accounts you were using on the device you lost. Thanks to Andy Baio (@waxpancake) for that reminder.

6. Some sites do not allow pasting into their password fields, which makes it very difficult to use a strong password generator. Imagine how fun it is to type 20 random characters into an obscured form field, not once, but twice. Oh, and without any visible feedback to confirm that you’ve correctly transcribed the data from your password generator into the form field. But hey, if you didn’t, you’ll be locked out, and you can always do a password reset and try it all over again. Good times.

There you have it. Learn from my fail and don’t lose your iPad.

Find the comments.

AboutJake

a.k.a.:jkuramot

6 comments

  1. reminds me of this one:

    http://www.codinghorror.com/blog/2008/06/smart-enough-not-to-build-this-website.html

    MENSA — the organization for “geniuses” — had a password reset mechanism that sent your password in the clear. I remembered clearly Jeff Atwood making fun of them a few years back. Out of curiosity, I checked out there site again:

    http://www.mensa.org/user/password

    yarp… they STILL send you your password in the clear… but at least this time they change it for you BEFORE sending it! What security!

    yeesh…

  2. Wow, again I wish I were surprised. If only something other than username/password could be easily implemented to replace the cluster that is identity management.

  3. Nice, thanks for that 🙂 It’s an OG iPad so I doubt it would fetch much. I’m not missing it much either, surprisingly.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.