I would like to start with a little historical perspective to explain why I changed or wanted to change my passwords on more than 50 websites. As of March 16, 2021, LastPass has changed how to use its free plan. TL;DR It will not be possible to keep passwords synchronized between PC and mobile devices in the future.
So, after a quick search, I decided on Bitwarden‘s service. I was able to easily import the passwords from LastPass based on their description. (They also have guides for several other common password managers. E.g.: KeePass, 1Password, browsers: Chrome, Firefox, etc.)
Finally, I decided to subscribe to the premium membership for the first time, because of the tools available there and the favorable price. (No, I did not intend it as an advertisement, I am not being compensated for writing this.) I wanted to make my passwords a little more secure. I have to admit that someone misused my previously leaked password, which I unfortunately reused in several places. This also motivated me to change my password.
Test scenario
First of all, I wanted to change my access to the pages that used the leaked password. I tried to follow the following steps:
- Sign in to the service
- Looking for a password change
- I change my password to a random one with a maximum length (128) generated by Bitwarden and containing all kinds of characters (lower/uppercase letters, numbers and other special characters).
- Sign out/Sign in with the new password
First experiences
I quickly had to face the fact that it is not possible to change the password everywhere. Not to mention that many places set the maximum length of passwords below 30 characters. This sounds banal at first, but consider that a few years ago even 6 characters were enough for a “secure” password, and today it is 8 in many places, but in the case of sensitive data it can easily be 12 or more.
There is no option to change the password
I came across a site where you could log in, but there was neither a profile page nor the option to change your password. What is surprising is that this was relatively common and did not only occur on amateur sites, but also in state and international companies.
Fortunately, I was saved by the forgotten password option at login in most of these cases. In this case, we receive a one-time, limited-time link to the previously registered email address, which we can open to set a new password.
My worst experience was the forgotten password feature sending a newly generated (hopefully) password. I couldn’t do anything but accept it and save it for myself.
Too long
Unfortunately, in many places it is not indicated at all what rules the new password must comply with. Where there is, the minimum length is most often indicated, and somewhere this is the only stated condition. The maximum length is specified in several places in the maxlength property of the form element, which works well if it is also used at login.
The most common problem was that the newly set password was not accepted by the system because it was found to be too long. In better case, it already indicated the problem when filling it out, and I was able to modify it immediately before sending it. In a worse case, the error was only displayed after sending. In an even worse case, the system did not display why the password was not accepted. In the worst case, the system does not indicate an error and suggests that everything is fine and that the password has been set.
There was a case when the system indicated that 100 characters could be used, but after sending the form, only 20 were allowed. (Auction site)
Then, in another case, the site repeatedly claimed that it could be 20, but it did not accept it. (One of the largest online stores in Hungary)
Special characters
Unfortunately, on many websites it is still not possible to use special characters in passwords, which reduces their effectiveness. In the majority of cases, some special characters were allowed, so there were cases where they provided their own list of these usable characters.
The worst was when the rules required its use, but it did not accept the randomly generated password because it contained a character that was not allowed. However, they did not say what the allowed characters are. (Tech giant)
Misleading error message
There is nothing worse when a system lies. This is how it happened when I kept getting the message “Please enter 6 or more characters!” for my 128 character attempt. Then for 64 and 32 characters, but at the end they accepted 24. (DIY store chain)
Not to mention how much more convenient and clear it would be if the error message appeared next to the relevant field instead of at the top of the form.
Hidden menu
On some pages, the interface caused the biggest headache. There were times when I was only able to change the password by entering an address at random. There was also the case that I reached the function through a GDPR –> Account –> New password menu structure.
Positive disappointment
I was quite surprised when changing the password on one of the websites, it said that my current password had already been leaked and that the system would also check the new password I wanted to set.
Terminated account, service, deletion
Of course, I also had passwords from before that I could no longer use or did not want to use anymore. For some of them, I logged into the service so long ago that my account was deleted. And for the other part, the service itself has stopped in the meantime.
Finally, there was a site where I decided that I no longer wanted to keep my account because I did not plan to use it. Fortunately, with European services, thanks to the GDPR regulations, anyone can request the deletion of their data, even if this is not available through the menu system.
Summary
Overall, the current situation on the sites I visit is pretty sad. It is often difficult or impossible to find a password change. And once we do find it, it is rare that there is a clear description of what rules a password must comply with. There are plenty of pages where even the error messages are misleading. It is almost suspicious when you can easily find the function you are looking for on a website and it works without any problems.