P@s$w0rdz: Updating Passwords

When? | Strategy | How? | Auto-Update? |
Manual Update #1 (macOS) | Manual Update #2 (iOS) |
Exceptions

---

How Do You Know When to Update?

• "Change is the one... unavoidable, irresistible, ongoing reality of the universe." ~Octavia Butler
• Just tried to change my password to 'The_Last_Jedi' but...
  Facebook wouldn't let me. Said there are too many useless characters.
• If your workplace requires password changes every 90 days,...
  just set it to the name of the current Australian Prime minister and you should be fine.

• 
  

  Change weak and reused passwords
  -- and any that may have been compromised in a data breach.

• Some sites may require a new password when you try to login;
  some sites insist on periodic password changes (obsolete, counterproductive advice);
  some sites may have upgraded minimum password requirements;
  some sites may have had a recent breach.
• You receive an email from site, or read news about account breaches or site hacks.
• You receive an email from site indicating a recent login or password / account change,
  

  
  

  or you check 'recent account activity' on site -- unexpected device or location?

• Of course, you wouldn't click on a possible phishing email link,
  but instead go to that site directly from your PM.
• Check haveibeenpwned.com* w/ username or email for exposed accounts/info
  have i been pwned? : 'pwned' (gamers): totally dominated, conclusively defeated
• 1Password automatically checks via Watchtower: Vulnerable
• Another site: HPI Identity Leak Checker
• For an exposed site where you have an account, change its password;
  After a breach, users rarely change their passwords, and when they do, they're often weaker;
  to make things worse, users' new passwords were overall more similar to passwords they use on other accounts
• For other sites, e.g., 3rd-party marketing,
  you can be angry but not particularly worried;
  do you have credit freezes & monitoring in place?
• 1Password: WatchTower checks for and highlights potential problems:
• Compromised; Vulnerable, i.e., haveibeenpwned.com
• Reused (multiple sites); Weak
• Unsecured Sites, i.e., http: -- passwords, credit card info not encrypted when sent; vs. https:
• Multi/Two-Factor Authentication Avail (TOTP)
• Expiring, e.g., credit cards, passports
• iOS: 1PW > Settings > Security > 1Password WatchTower: on
  -- may be limited in functionality, compared to desktop version 1Password plans to upgrade in future;
  when examining an individual entry, any relevant warning should appear in Red.

A Password Strategy

• A lot of passwords and accounts? How do I cope, where do I start?
• Apply password triage -- prioritize* by importance, and update a few at a time
• If just learning how to use a password manager, it may be best to practice first
  -- with some unimportant accounts, rather than more critical email or financial accounts.

• 
  

  Close any accounts you no longer use
  -- then there's no need to save/update.

• After login, change password, review password reset procedures;
  update secret answers; save recovery codes
• Optional: turn on multi-factor authentication (MFA) when available & appropriate
• 1Password:WatchTower can suggest accounts to review:
  Compromised, Vulnerable, Weak, Reused, Unsecured, 2FA

*Possible Order [& Type]

1. Device(s), Password Manager [Memorable]
2. when learning PM: some unimportant accounts for experimentation -- then the important accounts
3. Email accounts, esp. any used for password resets [Random/Typable; 2FA]
4. Financial institutions; sites that store credit card details, e.g., Amazon, Apple, utilities, etc. [Random; 2FA]
5. Cloud backup services, photo storage sites, or any other services that hold especially valuable personal data [Random; 2FA]
6. Sites with personal info (address, phone, email); social media, airlines, car rental [Random]
7. All others, weakest first [Random]

How to Update Passwords

• Ideally, this process could be simpler and more automatic;
  unfortunately, sites have difficult-to-find 'change password' pages
  with different steps, and different rules for acceptable passwords.
• Remember that the account's password is stored in 2 places:
  
• 1. remotely: the web site
• 2. locally: your PM 'Login' entry contains username, password, site URL
• So, new password needs to be updated in 2 places:
  1) the site -- usually first, since you want to make sure new password has been accepted
  2) the PM 'Login' entry -- save the new password to replace previous password
• Also, if you're using an app associated with a site, you'd need to update the password
  in that app separately later, e.g., Dropbox, Zoom, email client
• 1Password: Change your passwords and make them stronger: Mac, Win, iOS, And
• video: Change your passwords and make them stronger on Mac and Win

Auto-Update?

• Several PMs offer a premium ($) feature to automatically update passwords for selected, popular sites, e.g.,
• DashLane: Password Changer; ~500 sites
• This sounds like an attractive feature, but which of your sites does it handle,
  how reliable/secure is it, and will complex logins work, e.g., Security Questions or 2FA?
• Without this feature or for other sites, you still need to know how to update passwords yourself.

Manual Update #1 (macOS)

• This section describes an update process that's straightforward for many sites,
  especially from desktop systems.
• The process will vary depending on your OS, PM and site idiosyncracies!
• Exceptions and workarounds will be covered later.

Go to Correct Site & Login

• open site; find Login button / page
  -- use your PM, a browser bookmark or an 'official' search result!
  *Do not click on possible phishing links in emails,
  or (mis)type the site address
• Login to site: autofill, copy/paste or type ('Reveal') password from PM;
  if entered from previous source: memory, paper, file, ...,
  PM should prompt to Create New entry.
  [on right: 1PW login entry: Open & Fill; site page filled before clicking 'Sign In']

Find 'Change Password' page

• This can sometimes be the hardest task since every site is different!
• Where is it: User name/icon; Account; Settings; Profile; Security, ...?
• [on right: menu bar: "My Account"; Account page: Username & Password]
• You could use "Forgot Password" when logging in to reset password
  -- with an expected email, it's actually ok to click on that link!
  (Of course, without strong device password and timeouts/locks,
  hackers with physical access to your locked device could
  access your still-logged-in email application,
  receive the 'Forgot Password' reset email, and change your accounts passwords).

Change Password page: Fill-in Old password

• page might include up to 3 fields:
  1. old password -- Fill from PM or wait & copy later;
  2. new password -- PM generates for you;
  3. confirm new password -- PM fills that in too;
  if page includes password 'hint' field, leave it blank -- or enter "none".
• Fill old password: autofill from PM,
  or manually copy/paste password from login entry.
  [on right: login page; ready to autofill Old password field from PM entry]

Change Password page: Generate and Fill-in New password

• Your PM can generate random, strong passwords more easily than you can
  -- save your brain for more important things.
• One simple option is to "Use Suggested Password" from 1PW's menu [on right]
• Although the suggested password may be adequate and compatible with most sites' rules,
  it's not particularly strong -- only ~16 characters long?
• Also, this triggers 1PW's update dialog before finding out whether site will accept the new password;
  if site rejects it (and you've already saved in 1PW), you may need to recover 'old' (current site) password (View Password History) and try again.
• Current suggestion: edit the login entry in 1PW app.
  Generate new password of desired type and strength there.
  Use (copied to but not yet saved in field); Copy new password to clipboard;
  Paste into site's form fields. Submit.
  If site accepts password, Save the login entry already containing new password.
  If site rejects password, generate a new one and add Note about site's rules for future reference.
• [on right: both New and Retype fields filled with suggested password]

Update Password; Success?

• 'Submit' button to update password.
  If PM has an auto-submit setting,
  that should be disabled for security reasons.
• Check that site accepted new password:
  confirmation message or lack of error message?
• [on right: site: "Your Password has been updated";
  1PW: pops up dialog to update a login entry]
• If site update successful, let PM update login entry with new password.
  Update Existing: if more than one existing account, select the correct one;
  Create New: create a new account entry.
• Site may send an email notification about changes to account information.
• If site update failed, do not approve update of PM's login entry
  -- the old password is still in effect on site, and still stored in PM.
• Optional: other account security settings, e.g., update recovery and contact info;
  change Secret Answers; enable MFA?
• Exceptions section will discuss modifying password to meet site requirements,
  using stronger or more memorable/typable passwords,
  or how to get old password from PM even if you did save the invalid one accidentally,
  what to do if PM doesn't notice password update, etc.

Test

• Log out from site, or site may have logged you out.
• Login again using PM. Success? logout; proceed to next account to update.
• Sometimes the site will accept the new password with no complaints,
  and the PM updated the correct login entry, but subsequent login fails.
• Perhaps the new password was too long, and the site just truncated it rather than warned you.
• Click "Forgot Password" on site's login page to receive a reset link via email,
  try updating with a shorter password, and add site requirements to login entry's Note field.

Manual Update #2 (iOS)

• It's easier to update passwords on a desktop system, and now in iOS/iPadOS 15.
• Browser extensions in older iOS (14 and earlier) are not as fully integrated as desktop versions.
• Ideally, the manual update process described earlier works on mobile devices too.
• However on my older iPad with older iOS 12.5.4,
  other steps were necessary -- described below.
• "switch to (app)" = Home button double-tap to access an already-open app
  
• In 1PW, select login entry
• [on right: login entry; website: Open; or website: Copy]

Login page

• Several login options:
• 1. click 'website' to open in temporary mini-browser (not full Safari app)
  and auto-fill credentials
• Otherwise, Copy website field;
  switch to browser: Paste; site menu: "Join"; login page appears.
• 2. tap Safari browser bar : 'share' icon (box w/ arrow) at top right; actions appear.
• [above right: action menu includes 1Password (previously added)]
• [on right: list of suggested login entries appears; pick item to autofill]
• 3. click Old password field; 'key icon' Password should appear above keyboard;
  however, key keyboard item did not appear for this site's login page,
  but did appear for Change Password page (later)
• 4. switch to 1PW: select entry; Copy password;
  switch to browser: Paste into Old

Change Password page: Fill-in Old password

• Once logged in, navigate to Change Password page.
• Click Old password field; 'key' Passwords appears above keyboard (this time)
• If it doesn't appear, try #1 [share icon] or #3 [1PW entry: copy] (above)
• [on right: 'key' Passwords option]
• Tap 'key' to see 1PW suggestions; select entry to fill Old password field
• [on right: select 1PW login entry to autofill Old password]

Change Password page: Generate and Fill-in New password

• Click on New password field -- popup offers no password generator option, unfortunately.
• Switch to 1PW: select login entry, click Edit button (upper right)
• [on right: 1PW login entry with Edit button]
• While editing entry, click gear icon at far right of password field.
• Adjust password length and pattern options.
• Generate a different random password with circular refresh icon at far right.
• Each generated password is copied into the password field.
• Satisfied? click Done button at upper right to save New password in entry.
• [on right: generating a password]
• Note: earlier manual process updated site first, then PM entry;
  this process updates the PM entry first, then the site.
  If your new password does not conform to the site rules and is rejected,
  to try again -- retrieve the old password from the entry's Previously Used Passwords;
  see PM, but not site, updated with new password; retrieve old password (below)
• Copy the newly saved password from login entry.
• [on right: Copy new password to clipboard]
• Switch to browser: Paste into New field(s);
  submit change; celebrate!

Exceptions

• This section covers a few special situations.
• Generate a Different Password
• Site, but not PM, updated with new password
• PM, but not site, updated with new password; retrieve old password

Generate a Different Password

• Maybe the password Suggestion does not conform to the site's rules,
  or you want a stronger or more memorable/typable password.
• Sites have different length limits, and require / allow different characters.
• Exceed the minimum suggestion / requirement when possible
  -- the longer, more diverse and random the better.
• [on right: generate random 100-character sequence; Save&Copy to form]
• The generator usually saves new password to system clipboard,
  creates a temporary 'Password' log entry containing the password,
  and pastes the password into the site's change page New field(s)
  (and hopefully not overwrite the Old password field).
• Unfortunately, a site might not spell out its rules until after you fail the first time!
• In Notes field for PM's login entry, add comments about any length,
  character or 'pastability' limitations to make password updates
  for that site easier in the future.
• [on right: new generated password appears in New and Retype fields]

Site, but not PM, updated with new password

• PM may sometimes fail to recognize
  that a password change occurred on some sites.
• If the new password is still on the system clipboard,
  paste into login entry (see below) .
• If you used password generator, another way to access the new password:
• [on right: most recent password generated for the site; Copy]
• macOS/iOS: Categories: Password: (site item w/ 'key icon')
• Copy the new password from most recent (see timestamp) Password item
• Edit the site's Login entry; paste into the entry's password field; Save
• 1PW: If you used the password generator and can’t find the password to sign in
• [on right: pasting new password into login entry]

PM, but not site, updated with new password;
retrieve old password?

• If you allow the PM to
  update its login entry (which now has New password),
  or you had to do this iOS reversed update sequence,
  but then learn that the site update failed,
  e.g., New password didn't meet site requirements
  or site is waiting for you to provide the old password
  as final step before completing update:
• [on right: Mac: Password History; iPad: Previously Used Passwords]
• To access the old password to redo or verify site changes:
• macOS: (login entry) : Password field >
("v" far right) > View Password History
• iOS: (login entry) :
Previously Used Passwords (button at bottom)
• [on right: Mac: Password History: previous passwords]

---