There’s a news story about some Russian group that has amassed a database of 1.5 billion IDs/passwords. We’re all supposed to change our passwords, just in case our data was stolen from an insecure host. Can’t. Not feasible unless somebody pays me. A lot.
I have 574 passwords in my password manager. 51 of them are “critical,” meaning that they either provide access to
- Financial accounts
- e-Commerce sites that have my credit card
- Medical records
- High-value targets (e.g. the account that can reset passwords for a big collection of email accounts.)
At 10 minutes each, I can do 51 sites in 510 minutes. Where the hell am I going to get 8.5 hours to update all my passwords just because some idiot can’t keep his server secure?
So it is time to improve the situation.
- I’m enabling 2-factor authentication everywhere I possibly can.
- I’m canceling lots of accounts. If an account doesn’t add major value to my life, it is gone. (And your rinky-dink customer loyalty program does not add enough value to be worth maintaining another account.)
Oops! Have you ever tried to cancel your online access to Discover Card? You can cancel the card, but the online account lives on. What about your Buy.com account? Nah, it is now owned by someone else, with no way to cancel.
I’m going to have to write up (or have a lawyer write up) a letter to the effect of, “If you elect not to close the account, you assume all liability associated with this account and you agree to indemnify the former account holder against all costs associated with any past or future breech.”
ID/password security is BROKEN.