Multiple password recovery failures

For safety, I never use the same exact password unless it’s the very generic one for services that I don’t care about at all; any service that really keeps information about me, like Amazon and various other hardware (and software) suppliers, have a different password each. I try to stick, whenever I can, with the same username; although sometimes I’m provided an username already (and sometimes, they use my surname, included the accented “ò” letter that ensures funny stuff will happen).

Now, with so many different passwords, it’s almost logical that at some point I’ll forget one; I actually make use of the save password feature in the various OSs/browsers to remember the password for me (on the other hand, I do change some passwords periodically). Sometimes though, when I reset Firefox, change computer, or simply use a new box, I find myself in small trouble since I can’t remember what password I was using on a given site.

This is usually not too bad since almost all sites nowadays provide a “Lost Password” feature. The problem is that such feature is, often enough, written in so many bad ways:

  • don’t send me my old password! If you’re able to send me my old password, then you’re already at two failure points: the first is that you have my password saved in clear text in your database (which is bad because if your database is compromised, your user’s passwords are readable), the second is that you sent me an email, most likely through clear text channels, with the password in clear-text;
  • don’t just change my password! What if somebody else was asking for my password to be changed to waste my time? Send me a token to change the password, please;
  • don’t just send me a permanent new password Even though I’m smart enough to change it right away, make the password a one-time temporary password that requires me to change it right away, pretty please; this way nobody could find it in my mail archive by mistake (the stolen-laptop kind of problem).

While I’m not the kind of paranoid person who would use continuously one-time passwords (well, without considering the banking account), I’m paranoid enough to be doubtful when a service does not provide SSL-based login (okay even my own blog does not do that, but in general I mean for important stuff), and I seriously get scared when a service that remembers – for instance – my credit card, sends me an email with my password in clear-text. Which is why I use different passwords in the first place.

I learnt this the hard way actually, because the ASP web application used for the forum of an ancient gaming site I was involved is stored the passwords in clear-text, on an Access database file that was readable via HTTP if you knew the path, and since that went hacked quite easily (I only started administering that box after this happened), and I was using the same password for lots of services.