P@s$w0rdz: Updating Passwords

When? | Strategy | How? | Auto-Update? |
Manual Update #1 (macOS) | Manual Update #2 (iOS) |
Exceptions


little girl hacked
"Password problems" by Dianna Geers
is licensed under CC0 1.0.
"Somebody figured out my password"

How Do You Know When to Update?

A Password Strategy

  • A lot of passwords and accounts? How do I cope, where do I start?
  • Apply password triage -- prioritize* by importance, and update a few at a time
  • If just learning how to use a password manager, it may be best to practice first
    -- with some unimportant accounts, rather than more critical email or financial accounts.
  • toaster
    "Toaster Password cartoon from 'Mr. Brunelle Explains it All'"
    by Robert Waldo Brunelle Jr, CC BY-SA 4.0, via Wikimedia Commons

    Close any accounts you no longer use
    -- then there's no need to save/update.

  • After login, change password, review password reset procedures;
    update secret answers; save recovery codes
  • Optional: turn on multi-factor authentication (MFA) when available & appropriate
  • 1Password:WatchTower can suggest accounts to review:
    Compromised, Vulnerable, Weak, Reused, Unsecured, 2FA

*Possible Order [& Type]

  1. Device(s), Password Manager [Memorable]
  2. when learning PM: some unimportant accounts for experimentation -- then the important accounts
  3. Email accounts, esp. any used for password resets [Random/Typable; 2FA]
  4. Financial institutions; sites that store credit card details, e.g., Amazon, Apple, utilities, etc. [Random; 2FA]
  5. Cloud backup services, photo storage sites, or any other services that hold especially valuable personal data [Random; 2FA]
  6. Sites with personal info (address, phone, email); social media, airlines, car rental [Random]
  7. All others, weakest first [Random]

How to Update Passwords

  • Ideally, this process could be simpler and more automatic;
    unfortunately, sites have difficult-to-find 'change password' pages
    with different steps, and different rules for acceptable passwords.
  • Remember that the account's password is stored in 2 places:
  • 1. remotely: the web site
  • 2. locally: your PM 'Login' entry contains username, password, site URL
  • So, new password needs to be updated in 2 places:
    1) the site -- usually first, since you want to make sure new password has been accepted
    2) the PM 'Login' entry -- save the new password to replace previous password
  • Also, if you're using an app associated with a site, you'd need to update the password
    in that app separately later, e.g., Dropbox, Zoom, email client
  • 1Password: Change your passwords and make them stronger: Mac, Win, iOS, And
  • video: Change your passwords and make them stronger on Mac and Win

Auto-Update?

  • Several PMs offer a premium ($) feature to automatically update passwords for selected, popular sites, e.g.,
  • DashLane: Password Changer; ~500 sites
  • This sounds like an attractive feature, but which of your sites does it handle,
    how reliable/secure is it, and will complex logins work, e.g., Security Questions or 2FA?
  • Without this feature or for other sites, you still need to know how to update passwords yourself.

zoom2zoom1Manual Update #1 (macOS)

  • This section describes an update process that's straightforward for many sites,
    especially from desktop systems.
  • The process will vary depending on your OS, PM and site idiosyncracies!
  • Exceptions and workarounds will be covered later.

login2login1Go to Correct Site & Login

  • open site; find Login button / page
    -- use your PM, a browser bookmark or an 'official' search result!
    *Do not click on possible phishing links in emails,
    or (mis)type the site address
  • Login to site: autofill, copy/paste or type ('Reveal') password from PM;
    if entered from previous source: memory, paper, file, ...,
    PM should prompt to Create New entry.
    [on right: 1PW login entry: Open & Fill; site page filled before clicking 'Sign In']

acct2acct1Find 'Change Password' page

  • This can sometimes be the hardest task since every site is different!
  • Where is it: User name/icon; Account; Settings; Profile; Security, ...?
  • [on right: menu bar: "My Account"; Account page: Username & Password]
  • You could use "Forgot Password" when logging in to reset password
    -- with an expected email, it's actually ok to click on that link!
    (Of course, without strong device password and timeouts/locks,
    hackers with physical access to your locked device could
    access your still-logged-in email application,
    receive the 'Forgot Password' reset email, and change your accounts passwords).

oldChange Password page: Fill-in Old password

  • page might include up to 3 fields:
    1. old password -- Fill from PM or wait & copy later;
    2. new password -- PM generates for you;
    3. confirm new password -- PM fills that in too;
    if page includes password 'hint' field, leave it blank -- or enter "none".
  • Fill old password: autofill from PM,
    or manually copy/paste password from login entry.
    [on right: login page; ready to autofill Old password field from PM entry]

fill1Change Password page: Generate and Fill-in New password

  • Your PM can generate random, strong passwords more easily than you can
    -- save your brain for more important things.
  • One simple option is to "Use Suggested Password" from 1PW's menu [on right]
  • Although the suggested password may be adequate and compatible with most sites' rules,
    it's not particularly strong -- only ~16 characters long?
  • Also, this triggers 1PW's update dialog before finding out whether site will accept the new password;
    if site rejects it (and you've already saved in 1PW), you may need to recover 'old' (current site) password (View Password History) and try again.
  • Current suggestion: edit the login entry in 1PW app.
    Generate new password of desired type and strength there.
    Use (copied to but not yet saved in field); Copy new password to clipboard;
    Paste into site's form fields. Submit.
    If site accepts password, Save the login entry already containing new password.
    If site rejects password, generate a new one and add Note about site's rules for future reference.
  • fill2[on right: both New and Retype fields filled with suggested password]

Update Password; Success?

  • 'Submit' button to update password.
    If PM has an auto-submit setting,
    that should be disabled for security reasons.
  • successCheck that site accepted new password:
    confirmation message or lack of error message?
  • [on right: site: "Your Password has been updated";
    1PW: pops up dialog to update a login entry]
  • If site update successful, let PM update login entry with new password.
    Update Existing: if more than one existing account, select the correct one;
    Create New: create a new account entry.
  • Site may send an email notification about changes to account information.
  • If site update failed, do not approve update of PM's login entry
    -- the old password is still in effect on site, and still stored in PM.
  • Optional: other account security settings, e.g., update recovery and contact info;
    change Secret Answers; enable MFA?
  • Exceptions section will discuss modifying password to meet site requirements,
    using stronger or more memorable/typable passwords,
    or how to get old password from PM even if you did save the invalid one accidentally,
    what to do if PM doesn't notice password update, etc.

Test

  • Log out from site, or site may have logged you out.
  • Login again using PM. Success? logout; proceed to next account to update.
  • Sometimes the site will accept the new password with no complaints,
    and the PM updated the correct login entry, but subsequent login fails.
  • Perhaps the new password was too long, and the site just truncated it rather than warned you.
  • Click "Forgot Password" on site's login page to receive a reset link via email,
    try updating with a shorter password, and add site requirements to login entry's Note field.

Manual Update #2 (iOS)

  • It's easier to update passwords on a desktop system, and now in iOS/iPadOS 15.
  • Browser extensions in older iOS (14 and earlier) are not as fully integrated as desktop versions.
  • Ideally, the manual update process described earlier works on mobile devices too.
  • loginHowever on my older iPad with older iOS 12.5.4,
    other steps were necessary -- described below.
  • "switch to (app)" = Home button double-tap to access an already-open app
  • In 1PW, select login entry
  • [on right: login entry; website: Open; or website: Copy]

login pageLogin page

  • Several login options:
  • 1. click 'website' to open in temporary mini-browser (not full Safari app)
    and auto-fill credentials
  • Otherwise, Copy website field;
    switch to browser: Paste; site menu: "Join"; login page appears.
  • 2. tap Safari browser bar : 'share' icon (box w/ arrow) at top right; actions appear.
  • share icon[above right: action menu includes 1Password (previously added)]
  • [on right: list of suggested login entries appears; pick item to autofill]
  • 3. click Old password field; 'key icon' Password should appear above keyboard;
    however, key keyboard item did not appear for this site's login page,
    but did appear for Change Password page (later)
  • 4. switch to 1PW: select entry; Copy password;
    switch to browser: Paste into Old

Change Password page: Fill-in Old password

  • Once logged in, navigate to Change Password page.
  • old1Click Old password field; 'key' Passwords appears above keyboard (this time)
  • If it doesn't appear, try #1 [share icon] or #3 [1PW entry: copy] (above)
  • [on right: 'key' Passwords option]
  • old2Tap 'key' to see 1PW suggestions; select entry to fill Old password field
  • [on right: select 1PW login entry to autofill Old password]

new1Change Password page: Generate and Fill-in New password

  • Click on New password field -- popup offers no password generator option, unfortunately.
  • Switch to 1PW: select login entry, click Edit button (upper right)
  • [on right: 1PW login entry with Edit button]
  • new2While editing entry, click gear icon at far right of password field.
  • Adjust password length and pattern options.
  • Generate a different random password with circular refresh icon at far right.
  • Each generated password is copied into the password field.
  • Satisfied? click Done button at upper right to save New password in entry.
  • [on right: generating a password]
  • Note: earlier manual process updated site first, then PM entry;
    this process updates the PM entry first, then the site.
    If your new password does not conform to the site rules and is rejected,
    to try again -- retrieve the old password from the entry's Previously Used Passwords;
    see PM, but not site, updated with new password; retrieve old password (below)
  • new3Copy the newly saved password from login entry.
  • [on right: Copy new password to clipboard]
  • Switch to browser: Paste into New field(s);
    submit change; celebrate!

Exceptions

gen1Generate a Different Password

  • Maybe the password Suggestion does not conform to the site's rules,
    or you want a stronger or more memorable/typable password.
  • Sites have different length limits, and require / allow different characters.
  • Exceed the minimum suggestion / requirement when possible
    -- the longer, more diverse and random the better.
  • [on right: generate random 100-character sequence; Save&Copy to form]
  • The generator usually saves new password to system clipboard,
    creates a temporary 'Password' log entry containing the password,
    and pastes the password into the site's change page New field(s)
    (and hopefully not overwrite the Old password field).
  • gen2Unfortunately, a site might not spell out its rules until after you fail the first time!
  • In Notes field for PM's login entry, add comments about any length,
    character or 'pastability' limitations to make password updates
    for that site easier in the future.
  • [on right: new generated password appears in New and Retype fields]

gen3; new PasswordsSite, but not PM, updated with new password

  • PM may sometimes fail to recognize
    that a password change occurred on some sites.
  • If the new password is still on the system clipboard,
    paste into login entry (see below) .
  • If you used password generator, another way to access the new password:
  • [on right: most recent password generated for the site; Copy]
  • paste new pwmacOS/iOS: Categories: Password: (site item w/ 'key icon')
  • Copy the new password from most recent (see timestamp) Password item
  • Edit the site's Login entry; paste into the entry's password field; Save
  • 1PW: If you used the password generator and can’t find the password to sign in
  • [on right: pasting new password into login entry]

ihistmhist1PM, but not site, updated with new password;
retrieve old password?

  • If you allow the PM to
    update its login entry (which now has New password),
    or you had to do this iOS reversed update sequence,
    but then learn that the site update failed,
    e.g., New password didn't meet site requirements
    or site is waiting for you to provide the old password
    as final step before completing update:
  • [on right: Mac: Password History; iPad: Previously Used Passwords]
  • mhist2To access the old password to redo or verify site changes:
  • macOS: (login entry) : Password field >
    ("v" far right) > View Password History
  • iOS: (login entry) :
    Previously Used Passwords (button at bottom)
  • [on right: Mac: Password History: previous passwords]