Mr Speaker

Password expiration

Oh Gawker, you fool! You fell victim to one of the classic blunders - The most famous of which is "never get involved in a land war in Asia" - but only slightly less well-known is this: "Never go against 4chan, when death is on the line"! I chorkled, smugly reassuring myself I was safe from this one.

Then I checked the torrent... there I was! How was this possible? I don't care for Gawker, and I certainly never logged in there. Then I remember. Oh. I once thought I had something terribly important to say on Valleywag, many internet seasons ago - before it was killed and mushed up against the side of the Gawker empire...

Of course, at the time I was smart about it - I used my "standard sign in for useless things" password. Which would be fine, except most of the internet can be classified as a "useless thing" - so it turns out I used that password a lot. Oops.

Solution 1: the quick fix
So this morning I commence my large-scale Seek And Re-password mission: I developed a simple and vaguely-more-crack-proof system and start applying it to every site I can remember... something like: append an easy-to-work-out-in-my-mind cypher based on the service name, and subtract the first letters of the, um, something. I forget. anyway...

Solution 2: the lazy fix
So after 20 or so password updates, I realise... I don't need a system - I can just change the passwords for random uncrackable gibberish! If I ever need to use the site again, I can just do "forgot password" and they'll give me a new one. I think this is the method I'll be using primarily from now on. But.

Solution 3: the most lazy fix (for me)
A BETTER solution for me would be to have an option (settle down, I said "option"!) when I sign up to a stupid novel new web service to automatically "expire" the password after some length of inactivity. If I don't log in for 2 months then I won't mind taking the 10 seconds to reset my password when I come back. I propose that the internet police should enforce this practice for all apps that use a site-specific user/pass mechanism.

Ah well, if nothing else today I learned that "Don't use the same password everywhere" was not just a figure of speech like "Make sure you back up your files".

Update: There's some discussion about this post on Hacker News. I quite like this suggestion from Ogre:

Why don't any sites, as an option, cut out the middleman and just have an "email me a login link"? No need to save a password at all, just a good for a single login link and the usual session tracking.


  1. Not a bad idea, but I’d call it “account expiration” instead.

    Tuesday, December 14, 2010 at 2:11 am | Permalink
  2. Ever lose control of your email address? Not all email addresses are free and forever (<3 gmail). It would be a pity if I had to reclaim a .edu or .isp email address just for the sake of logging in to some site I forsook years ago.

    Tuesday, December 14, 2010 at 2:13 am | Permalink
  3. An option you didn’t mention is to use something like KeePass to generate a random password for each site and save all of them in an encrypted file with one master password. This is the most secure method, and not much harder than just using the same password for each website.

    Tuesday, December 14, 2010 at 2:50 am | Permalink
  4. Good tips… I’m on it…

    Tuesday, December 14, 2010 at 7:19 am | Permalink
  5. I like Lastpass. Generates random gibberish for each site and then repopulates the textbox on your return (if you want it to).

    Master password controls access to the lot. With laptops or shared computers you’re best to set it to auto logout after each session.

    Tuesday, December 14, 2010 at 9:13 am | Permalink
  6. I agree with Ryan, I switched to KeePass about 2 years ago and now I only know two passwords, one to get into my computer, the other to log into KeePass. I’m a little paranoid, so I have a few backups of the KeePass file, including on an FTP server.

    I also use the iPad/iPhone app so I don’t even need to remember or type the passwords in on those devices.

    Tuesday, December 14, 2010 at 9:26 am | Permalink
  7. PasswordMaker is a good option and it has plugins for most browsers and an online generator too: – I’m still using my own rules and always forgetting them, specially because of dumb password rules:

    Tuesday, December 14, 2010 at 1:48 pm | Permalink
  8. Pffft. KeePass, lastpass… did you guys miss the bit where I said “I’M VERY LAZY”! Taking security precautions is not for the masses… I want other people to do it for me!

    Tuesday, December 14, 2010 at 7:08 pm | Permalink
Captcha! Please type 'radical' here: *
How did you find this thingo? *