Heartbleed shows the need for password change automation

Heartbleed shows the need for password change automation

Summary: Passwords have all sorts of problems, but the one which is hardest to solve is when you need to change a lot of them quickly, as happened after Heartbleed.


Even though Heartbleed was as serious as it gets with crypto vulnerabilities, as a practical matter we probably all overreacted. No doubt there are still many vulnerable web sites and many more users who never changed their passwords from vulnerable web sites, and the consequences haven't been catastrophic.

The theory was that since so many sites were vulnerable for so long, you should (once the site patched OpenSSL) change your password on all of them. It's unlikely that a lot of sites were so-compromised and mined.

Few people would have bothered even if it were easy, but the fact remains that if you were following best practices with your passwords — making them complex and long and not reusing them, and using a password manager to make that all practical — changing all your potentially-vulnerable passwords is a daunting task. It has to be a manual, one site at a time thing.

When the Heartbleed smoke cleared I asked a couple of vendors about the problem and proposed a solution: a standard web API for changing site password, probably for use by password managers. The information you need to change a password — basically the URL, the userID and the old password — should all be accessible to the password manager.

Before Heartbleed: Worst vulnerabilities ever?

Some of the potential problems, such as CAPTCHAs, are obvious, but I'd still think there is a way around them, if only through an authorization email to the account on record. Even if that email required you to follow a link and fill out a CAPTCHA it would still be far more automated for the user than if the whole process were manual.

But the vendors told me that they didn't think it could be done reliably. I still don't understand the problem, but they know a lot more about these things than I do, so I'm sure they're right. It's a damn shame. 

Automation could also be useful in non-crisis situations. One of those best practices for passwords that nobody follows is to change your passwords periodically. A good password manager could track password age and, at a predetermined interval, offer to change site passwords. If it were an automatic process I would do it.

One person suggested to me that I was looking at it the wrong way, and that the answer to the password problem was OAuth. The official OAuth site defines it as an "authorization framework" which " enables a third-party application to obtain limited access to an HTTP service." This is like when a site offers to let you log in with your Facebook or Google account.

I understand the theory of how OAuth does this, but OAuth has always struck me as a mess. Eran Hammer, the lead project author for the OAuth 2.0 spec felt the same and resigned from the standard committee in mid-2012. He explained his reasons in this blog entry and in the video tirade below (warning, he uses a lot of profanity):

[Warning: NSFW - Lots of profanity] RealtimeConf - "OAuth 2.0 - Looking Back and Moving On" by Eran Hammer from &yet on Vimeo.

Even the user experience with OAuth can be confusing in my experience. I'm also uncomfortable using one of these big services as my identity on some of these other services. I like to maintain the maximum flexibility on them.

The biggest reason nothing has been done about the problem is that it's way down the list of things we need to do in order to make users more secure.

Very few users have proper password practices and industry attention is certainly best-directed to addressing that. Even so, I take the fact that the problem is so difficult as a sign of potential trouble in the future.

Topics: Security, IT Security in the Snowden Era

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • That... is a sure fire way for hackers to take over a site.

    Automatic password changes???

    You have got to be kidding.
    • I thought so too at first, but...

      If I'm understanding the premise correctly, the websites would all provide a standardized API for making password changes available to external apps, the most obvious external app being your password manager (LastPass, Keepass, etc). You could then issue a single command to your password manager to "change all passwords" or select from a list, and it would then go use that API to change a bunch of them in one single pass -- generating secure passwords using its own built-in password generator. That's brilliant. It is your password manager which is doing the automatic changing, not the website.

      I've been working through all of mine for weeks, a few at a time as I have time, changing them in order to both increase the strength and to remedy the fact that I've used the same few passwords on tons of sites. I have a whole bunch of these left to go. This sort of feature would have made it possible in just a few minutes.

      The only other requirement should be that the API will really need to be able to report to the password manager all of the rules/requirements/limitations of the site's passwords. I have never been able to create a single "password characteristic" which works on every site. Some require certain lengths that others won't allow, or I might prefer certain character types that others don't allow. Why they have maximum lengths or won't allow certain characters is beyond me -- if they're hashing properly, these shouldn't be limited at all. Minimums are understandable but not maximums. I'm really disgusted at the number of sites that stop me at 12 characters or say "you can't use that symbol in your password". Uggh. Doesn't leave me with much confidence in the security -- are they storing plaintext or just encrypting rather than hashing??????
      • Great Idea (password manager)

        I think it would be awesome if this was placed in a password manager. I use RoboForms and its great for Creating/Generating passwords. I use it for every site. They don't have a global change feature but i'm sure they will add it. i have been using them for over 6 years and have never had a email or website hacked. I also change passwords every year.
    • Why?

      For the hacker to execute the password change they need, at minimum, your current password, in which case you've already been pwned. In the meantime, the API call could be defined so as to require SSL. I don't see why there's a problem.
  • More important issues than automating password changes

    After Heartbleed, I switched to using a password manager. I changed every one of the 120+ personal and professional passwords (and this does not include some professional passwords that my employer prohibits caching in a password manager).

    A bigger problem, that should be easier to fix would be getting web site owners to make changing passwords more convenient and also more complex. Two major US retailers have MAXIMUM password lengths of 8 and 12 characters respectively (despite the fact the save credit card information for customer convenience). Many do not support symbols, limiting to Uppercase, Lowercase and Numeric). Most don't seem to tell you the limits until you enter a password and a pop-up complains "we do not like that")

    Finally, there are sites that hide the password changing process altogether. One website for downloading an app sent me a cryptic password, and there is no option to change it. WhiteHouse.gov and an investment website says to change your password you must sign in claiming "I've lost my password" and then a link in the e-mail to address on record gives a link to the password reset page.

    I also agree with jessepollard that automating the changes is a big risk. What I would support is a means of a web developer having a means of sending a notice to the Password Manager companies, and then users of those password managers could receive a pop-up saying "We have been notified of a password concern at XYZ website, we recommend changing your password at this time" with a link to the website for the user to go to. That way the user remains safely in control. A process such as this could be much easier to implement than your proposal.
    • More important

      Got to agree with your suggestion, with the addition that the 'automatic' feature ought to be built into your computer, or browser : not some outside link as a reminder.
      One of my gripes with a lot of destinations is that they limit you to a basic alpha numeric set of rules. ( numbers that must include a capital & lower case letter ) I like to use a sentence with special characters in them ( @#$%&*~ etc... ) but at least half of the sites I use won't allow them. Using 46 characters instead of 36 might help a little. That's a big assumption since many Joe Users still think '12345' and 'Superman' are safe passwords.
  • SecurID token and smartphone tokens anyone?

    single factor passwords are medieval technology. Tokens (hard like SecurID or software smartphone apps) are not invulnerable but they are orders of magnitude better than single factor passwords.

    Given that nearly everyone has a smartphone these days software tokens like google authenticator should be a no brainer.
  • Passwords have reached their use-by date

    The answer to managing ridiculous numbers of ever-more-complex passwords is not making a better password manager but getting rid of passwords.

    There have been several suggestions for replacing passwords with some alternative means of proving that you are who you say you are, from fingerprints to dongles to long and un-interceptable public keys. It is no longer possible for a password to be "what you know", and so they are no longer fulfilling their original premise.
  • Single source of failure

    I would not use this type of service even if it was available. I am a fan of LastPass but if they ever got hacked (which, of course, will likely happen eventually ;)) I don't want there to be a mechanism whereby a hacker could instantly lock me out of all my accounts.

    But I am also not a fan of all these crazy authorization systems that require you (or your applications) to jump through all kinds of hoops just to log on. I think I would prefer to keep it simple and realize that once in a while I'm going to have to fix up a mess.
    • Don't want LastPass?

      I don't use LastPass, because I don't like it - but that doesn't mean it could ever be hacked for its users' passwords. LastPass and similar plugins keep the key on the user's machine(s), so they cannot read your passwords.

      That said, they do still "feel" potentially vulnerable. If you want something that is absolutely local, try Password Safe - and don't get any of the available addons/plugins (e.g. for Android). It is a stand-alone program that you can even keep on a USB key - if you are sure that you'll never lose it or have a strong enough single password. One password rules them all, and you can keep your passwords organised within it. It can allegedly open websites for you, but I have never used it. It can generate passwords, enforce password rules (including if you want to regularly reset them), and is open source. Details are at http://passwordsafe.sourceforge.net/ .
  • muskanDAR7578

    Tere naam
  • RoboForm

    I highly agree a password manager is necessary to generate strong passwords and manage them. I've been using RoboForm for years and I highly recommend it.
    • Agree About Password Managers - RoboForm

      I wish they would find something better than a password, but security gurus have been talking about it forever and it's not likely to happen any time soon. So I think the password manager is the way to go. I love RoboForm because my passwords are stored on my computer. They have a cloud option, but I don't use it all the time.
      • Saw all of the positive reviews and enjoyed the article

        I saw this article and started reading, have to admit that I don't understand half of the whole Heartbleed issue. I do understand trying to remember 5-10 passwords and the thing about age is it does not make it easier. I put robocop on my computer to give it a shot, was easy enough to get set up and I feel like it may be the fix I need rather than the fix I want.
  • 100% Agree!

    Password change automation is something that all companies that do business on the web should be implementing. Until then, I'm going to continue using Roboform to manage all of my password changes and to generate unique passwords for all of my identities!
  • Password Management

    I agree with a large portion of this article but don't see why password management is anyone;s responsibility but the users'. I use a program called RoboForm to generate unique/complex passwords for all of my various accounts and it is incredibly simple to use. I definitely suggest checking out RoboForm or something similar if you are not already.