I recently wrote up a review here on GeekDad of the new 1Password Families password management service, and then this past week I had to put it to good use in order to protect 50 of my online accounts. What follows is a real world example of why we all need some sort of password management system.
Last week, my employer’s head of IT security sent me an email. The email didn’t contain a lot of details but the bottom line was that my main work login ID and an associated hashed password were found online… meaning somehow someone had obtained access to my login ID and potentially my password. Now, there is no telling where this breach originated from. It’s possible it was from an online breach that happened years ago and I had already long since updated the password on that affected site because of that breach. But because my credentials popped up recently on this “nefarious” site, I had no choice but to take action.
It was suggested that I change my password for any online account that used my work login ID or email address. The reason I had to change passwords for all of these accounts is because we didn’t know which account was compromised. It could have been any of the accounts that use my work login ID or email address. Luckily I use 1Password, so all I had to do was perform a search of all of my 1Password entries that contained either my work login ID or email address, and I instantly had a list of all the accounts I had to go change the passwords for. The result… I had to change passwords for 50 accounts.
If I didn’t have a password manager of some kind, this sort of search would not have been possible (or at the very least it would have been very difficult). Some people re-use the same login and/or password, so if I had done that then I would have needed to change my password for absolutely everything. But how do you know what all of your online accounts are if they aren’t listed somewhere? The answer is you don’t.
I fear that a lot of people who get into a situation like this (and it’s happening more and more) have no way of knowing what accounts use a certain login ID or email address, so there is no way for them to go out and change their passwords for those potentially compromised accounts. The whole process was still painful and it took me over a week to slowly go through those 50 accounts and change my passwords, but in the end I knew what accounts I needed to update and was able to update them all. Would you be able to do the same?