How do I reset passwords on multiple websites easily?API to change passwords?Sending password reset links in emailWhich is more secure for a reset password feature - security questions or reset link in email?How does Password reset key work ?Password reset mail - reset password againHow to reset account passwords after falling victim to password reuse?Reset Password Link input parameters - where do place?self reset password with MFAIs it helpful to slow down password reset functionPassword Reset URL strategyHow to reset passwords without emailed reset link?
Did Shadowfax go to Valinor?
What do you call a Matrix-like slowdown and camera movement effect?
Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)
I’m planning on buying a laser printer but concerned about the life cycle of toner in the machine
What's the point of deactivating Num Lock on login screens?
"You are your self first supporter", a more proper way to say it
What would happen to a modern skyscraper if it rains micro blackholes?
LaTeX closing $ signs makes cursor jump
Test if tikzmark exists on same page
Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)
Why was the small council so happy for Tyrion to become the Master of Coin?
Pattern match does not work in bash script
Is it unprofessional to ask if a job posting on GlassDoor is real?
Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?
Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?
Why, historically, did Gödel think CH was false?
How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?
Do I have a twin with permutated remainders?
Why Is Death Allowed In the Matrix?
What is the word for reserving something for yourself before others do?
How does one intimidate enemies without having the capacity for violence?
How old can references or sources in a thesis be?
Why doesn't H₄O²⁺ exist?
US citizen flying to France today and my passport expires in less than 2 months
How do I reset passwords on multiple websites easily?
API to change passwords?Sending password reset links in emailWhich is more secure for a reset password feature - security questions or reset link in email?How does Password reset key work ?Password reset mail - reset password againHow to reset account passwords after falling victim to password reuse?Reset Password Link input parameters - where do place?self reset password with MFAIs it helpful to slow down password reset functionPassword Reset URL strategyHow to reset passwords without emailed reset link?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned).
I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.
This is particularly important as I was not using a password manager at the time and may have reused passwords.
Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?
password-reset have-i-been-pwned
edited Mar 30 at 3:25
Peter Mortensen
71049
asked Mar 27 at 11:19
IslayIslay
30137
|
show 1 more comment
One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned).
I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.
This is particularly important as I was not using a password manager at the time and may have reused passwords.
Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?
password-reset have-i-been-pwned
edited Mar 30 at 3:25
Peter Mortensen
71049
asked Mar 27 at 11:19
IslayIslay
30137
10
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
Mar 27 at 20:21
1
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
Mar 27 at 20:33
2
Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?
– Fabio Turati
Mar 29 at 0:15
Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.
– Spenser Truex
Mar 30 at 3:42
I would think having an tool to automate the process would be a horrible risk. Now the hacker will be highly motivated to hack to the tool rather than the sites.
– MaxW
Mar 30 at 5:36
|
show 1 more comment
One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned).
I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.
This is particularly important as I was not using a password manager at the time and may have reused passwords.
Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?
password-reset have-i-been-pwned
edited Mar 30 at 3:25
Peter Mortensen
71049
asked Mar 27 at 11:19
IslayIslay
30137
One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned).
I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.
This is particularly important as I was not using a password manager at the time and may have reused passwords.
Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?
password-reset have-i-been-pwned
password-reset have-i-been-pwned
edited Mar 30 at 3:25
Peter Mortensen
71049
asked Mar 27 at 11:19
IslayIslay
30137
edited Mar 30 at 3:25
Peter Mortensen
71049
asked Mar 27 at 11:19
IslayIslay
30137
edited Mar 30 at 3:25
Peter Mortensen
71049
edited Mar 30 at 3:25
Peter Mortensen
71049
edited Mar 30 at 3:25
Peter Mortensen
71049
71049
asked Mar 27 at 11:19
IslayIslay
30137
asked Mar 27 at 11:19
IslayIslay
30137
asked Mar 27 at 11:19
IslayIslay
30137
30137
10
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
Mar 27 at 20:21
1
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
Mar 27 at 20:33
2
Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?
– Fabio Turati
Mar 29 at 0:15
Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.
– Spenser Truex
Mar 30 at 3:42
I would think having an tool to automate the process would be a horrible risk. Now the hacker will be highly motivated to hack to the tool rather than the sites.
– MaxW
Mar 30 at 5:36
|
show 1 more comment
10
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
Mar 27 at 20:21
1
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
Mar 27 at 20:33
2
Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?
– Fabio Turati
Mar 29 at 0:15
Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.
– Spenser Truex
Mar 30 at 3:42
I would think having an tool to automate the process would be a horrible risk. Now the hacker will be highly motivated to hack to the tool rather than the sites.
– MaxW
Mar 30 at 5:36
10
10
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
Mar 27 at 20:21
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
Mar 27 at 20:21
1
1
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
Mar 27 at 20:33
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
Mar 27 at 20:33
2
2
Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?
– Fabio Turati
Mar 29 at 0:15
Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?
– Fabio Turati
Mar 29 at 0:15
Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.
– Spenser Truex
Mar 30 at 3:42
Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.
– Spenser Truex
Mar 30 at 3:42
I would think having an tool to automate the process would be a horrible risk. Now the hacker will be highly motivated to hack to the tool rather than the sites.
– MaxW
Mar 30 at 5:36
I would think having an tool to automate the process would be a horrible risk. Now the hacker will be highly motivated to hack to the tool rather than the sites.
– MaxW
Mar 30 at 5:36
|
show 1 more comment
6 Answers
6
active
oldest
votes
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
answered Mar 27 at 11:45
MatthewMatthew
25k78091
8
I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).
– BlueCacti
Mar 28 at 10:53
@BlueCacti: Definitely. That's my current setup since the past few years already.
– Islay
Mar 28 at 21:01
And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.
– Joel Coehoorn
Mar 29 at 13:53
add a comment |
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
answered Mar 27 at 11:59
schroeder♦schroeder
78.8k30175211
3
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
Mar 27 at 14:00
2
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
Mar 27 at 14:10
7
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
Mar 27 at 14:14
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
Mar 27 at 20:08
1
I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.
– Bakuriu
Mar 28 at 18:29
|
show 4 more comments
One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.
Take the homepage of the site, and add /.well-known/change-password to the end. Examples:
accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password
github.com/.well-known/change-password
-> https://github.com/settings/admin
twitter.com/.well-known/change-password
-> https://twitter.com/settings/password
meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account
answered Mar 29 at 5:48
RikingRiking
25418
1
I had never heard of those. Is it trying to append itself to this list?
– Michael
Mar 30 at 2:08
Apple first implemented it in Safari, and LastPass picked it up next. There's a draft but it isn't published as an RFC yet.
– Riking
Mar 31 at 5:47
add a comment |
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
edited Mar 27 at 13:59
schroeder♦
78.8k30175211
answered Mar 27 at 13:55
JacobJacob
411
2
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
Mar 27 at 13:57
6
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– Jacob
Mar 27 at 14:18
1
I would say "almost allways, your browser is your password manager."
– ThoriumBR
Mar 27 at 14:18
add a comment |
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
answered Mar 27 at 21:52
HarperHarper
2,050413
Lol...You made me google Furries and Ashley Madison...
– Aganju
Mar 27 at 22:28
The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.
– Islay
Mar 28 at 21:09
add a comment |
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
answered Mar 27 at 18:31
bvoyelrbvoyelr
105
One may not have the old password(s) anymore to load into LastPass.
– Islay
Mar 27 at 20:11
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
Mar 27 at 22:51
This is all covered in another answer (along with the weaknesses)
– schroeder♦
Mar 28 at 9:27
1
Do not use proprietary, nonfree, closed-source password managers.
– Spenser Truex
Mar 30 at 3:46
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206218%2fhow-do-i-reset-passwords-on-multiple-websites-easily%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
answered Mar 27 at 11:45
MatthewMatthew
25k78091
8
I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).
– BlueCacti
Mar 28 at 10:53
@BlueCacti: Definitely. That's my current setup since the past few years already.
– Islay
Mar 28 at 21:01
And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.
– Joel Coehoorn
Mar 29 at 13:53
add a comment |
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
answered Mar 27 at 11:45
MatthewMatthew
25k78091
8
I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).
– BlueCacti
Mar 28 at 10:53
@BlueCacti: Definitely. That's my current setup since the past few years already.
– Islay
Mar 28 at 21:01
And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.
– Joel Coehoorn
Mar 29 at 13:53
add a comment |
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
answered Mar 27 at 11:45
MatthewMatthew
25k78091
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
answered Mar 27 at 11:45
MatthewMatthew
25k78091
answered Mar 27 at 11:45
MatthewMatthew
25k78091
answered Mar 27 at 11:45
MatthewMatthew
25k78091
answered Mar 27 at 11:45
MatthewMatthew
25k78091
25k78091
8
I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).
– BlueCacti
Mar 28 at 10:53
@BlueCacti: Definitely. That's my current setup since the past few years already.
– Islay
Mar 28 at 21:01
And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.
– Joel Coehoorn
Mar 29 at 13:53
add a comment |
8
I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).
– BlueCacti
Mar 28 at 10:53
@BlueCacti: Definitely. That's my current setup since the past few years already.
– Islay
Mar 28 at 21:01
And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.
– Joel Coehoorn
Mar 29 at 13:53
8
8
I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).
– BlueCacti
Mar 28 at 10:53
I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).
– BlueCacti
Mar 28 at 10:53
@BlueCacti: Definitely. That's my current setup since the past few years already.
– Islay
Mar 28 at 21:01
@BlueCacti: Definitely. That's my current setup since the past few years already.
– Islay
Mar 28 at 21:01
And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.
– Joel Coehoorn
Mar 29 at 13:53
And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.
– Joel Coehoorn
Mar 29 at 13:53
add a comment |
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
answered Mar 27 at 11:59
schroeder♦schroeder
78.8k30175211
3
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
Mar 27 at 14:00
2
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
Mar 27 at 14:10
7
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
Mar 27 at 14:14
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
Mar 27 at 20:08
1
I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.
– Bakuriu
Mar 28 at 18:29
|
show 4 more comments
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
answered Mar 27 at 11:59
schroeder♦schroeder
78.8k30175211
3
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
Mar 27 at 14:00
2
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
Mar 27 at 14:10
7
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
Mar 27 at 14:14
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
Mar 27 at 20:08
1
I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.
– Bakuriu
Mar 28 at 18:29
|
show 4 more comments
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
answered Mar 27 at 11:59
schroeder♦schroeder
78.8k30175211
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
answered Mar 27 at 11:59
schroeder♦schroeder
78.8k30175211
answered Mar 27 at 11:59
schroeder♦schroeder
78.8k30175211
answered Mar 27 at 11:59
schroeder♦schroeder
78.8k30175211
answered Mar 27 at 11:59
schroeder♦schroeder
78.8k30175211
78.8k30175211
3
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
Mar 27 at 14:00
2
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
Mar 27 at 14:10
7
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
Mar 27 at 14:14
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
Mar 27 at 20:08
1
I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.
– Bakuriu
Mar 28 at 18:29
|
show 4 more comments
3
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
Mar 27 at 14:00
2
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
Mar 27 at 14:10
7
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
Mar 27 at 14:14
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
Mar 27 at 20:08
1
I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.
– Bakuriu
Mar 28 at 18:29
3
3
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
Mar 27 at 14:00
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
Mar 27 at 14:00
2
2
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
Mar 27 at 14:10
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
Mar 27 at 14:10
7
7
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
Mar 27 at 14:14
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
Mar 27 at 14:14
2
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
Mar 27 at 20:08
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
Mar 27 at 20:08
1
1
I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.
– Bakuriu
Mar 28 at 18:29
I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.
– Bakuriu
Mar 28 at 18:29
|
show 4 more comments
One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.
Take the homepage of the site, and add /.well-known/change-password to the end. Examples:
accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password
github.com/.well-known/change-password
-> https://github.com/settings/admin
twitter.com/.well-known/change-password
-> https://twitter.com/settings/password
meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account
answered Mar 29 at 5:48
RikingRiking
25418
1
I had never heard of those. Is it trying to append itself to this list?
– Michael
Mar 30 at 2:08
Apple first implemented it in Safari, and LastPass picked it up next. There's a draft but it isn't published as an RFC yet.
– Riking
Mar 31 at 5:47
add a comment |
One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.
Take the homepage of the site, and add /.well-known/change-password to the end. Examples:
accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password
github.com/.well-known/change-password
-> https://github.com/settings/admin
twitter.com/.well-known/change-password
-> https://twitter.com/settings/password
meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account
answered Mar 29 at 5:48
RikingRiking
25418
1
I had never heard of those. Is it trying to append itself to this list?
– Michael
Mar 30 at 2:08
Apple first implemented it in Safari, and LastPass picked it up next. There's a draft but it isn't published as an RFC yet.
– Riking
Mar 31 at 5:47
add a comment |
One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.
Take the homepage of the site, and add /.well-known/change-password to the end. Examples:
accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password
github.com/.well-known/change-password
-> https://github.com/settings/admin
twitter.com/.well-known/change-password
-> https://twitter.com/settings/password
meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account
answered Mar 29 at 5:48
RikingRiking
25418
One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.
Take the homepage of the site, and add /.well-known/change-password to the end. Examples:
accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password
github.com/.well-known/change-password
-> https://github.com/settings/admin
twitter.com/.well-known/change-password
-> https://twitter.com/settings/password
meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account
answered Mar 29 at 5:48
RikingRiking
25418
answered Mar 29 at 5:48
RikingRiking
25418
answered Mar 29 at 5:48
RikingRiking
25418
answered Mar 29 at 5:48
RikingRiking
25418
25418
1
I had never heard of those. Is it trying to append itself to this list?
– Michael
Mar 30 at 2:08
Apple first implemented it in Safari, and LastPass picked it up next. There's a draft but it isn't published as an RFC yet.
– Riking
Mar 31 at 5:47
add a comment |
1
I had never heard of those. Is it trying to append itself to this list?
– Michael
Mar 30 at 2:08
Apple first implemented it in Safari, and LastPass picked it up next. There's a draft but it isn't published as an RFC yet.
– Riking
Mar 31 at 5:47
1
1
I had never heard of those. Is it trying to append itself to this list?
– Michael
Mar 30 at 2:08
I had never heard of those. Is it trying to append itself to this list?
– Michael
Mar 30 at 2:08
Apple first implemented it in Safari, and LastPass picked it up next. There's a draft but it isn't published as an RFC yet.
– Riking
Mar 31 at 5:47
Apple first implemented it in Safari, and LastPass picked it up next. There's a draft but it isn't published as an RFC yet.
– Riking
Mar 31 at 5:47
add a comment |
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
edited Mar 27 at 13:59
schroeder♦
78.8k30175211
answered Mar 27 at 13:55
JacobJacob
411
2
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
Mar 27 at 13:57
6
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– Jacob
Mar 27 at 14:18
1
I would say "almost allways, your browser is your password manager."
– ThoriumBR
Mar 27 at 14:18
add a comment |
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
edited Mar 27 at 13:59
schroeder♦
78.8k30175211
answered Mar 27 at 13:55
JacobJacob
411
2
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
Mar 27 at 13:57
6
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– Jacob
Mar 27 at 14:18
1
I would say "almost allways, your browser is your password manager."
– ThoriumBR
Mar 27 at 14:18
add a comment |
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
edited Mar 27 at 13:59
schroeder♦
78.8k30175211
answered Mar 27 at 13:55
JacobJacob
411
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
edited Mar 27 at 13:59
schroeder♦
78.8k30175211
answered Mar 27 at 13:55
JacobJacob
411
edited Mar 27 at 13:59
schroeder♦
78.8k30175211
edited Mar 27 at 13:59
schroeder♦
78.8k30175211
edited Mar 27 at 13:59
schroeder♦
78.8k30175211
78.8k30175211
answered Mar 27 at 13:55
JacobJacob
411
answered Mar 27 at 13:55
JacobJacob
411
answered Mar 27 at 13:55
JacobJacob
411
411
2
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
Mar 27 at 13:57
6
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– Jacob
Mar 27 at 14:18
1
I would say "almost allways, your browser is your password manager."
– ThoriumBR
Mar 27 at 14:18
add a comment |
2
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
Mar 27 at 13:57
6
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– Jacob
Mar 27 at 14:18
1
I would say "almost allways, your browser is your password manager."
– ThoriumBR
Mar 27 at 14:18
2
2
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
Mar 27 at 13:57
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
Mar 27 at 13:57
6
6
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– Jacob
Mar 27 at 14:18
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– Jacob
Mar 27 at 14:18
1
1
I would say "almost allways, your browser is your password manager."
– ThoriumBR
Mar 27 at 14:18
I would say "almost allways, your browser is your password manager."
– ThoriumBR
Mar 27 at 14:18
add a comment |
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
answered Mar 27 at 21:52
HarperHarper
2,050413
Lol...You made me google Furries and Ashley Madison...
– Aganju
Mar 27 at 22:28
The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.
– Islay
Mar 28 at 21:09
add a comment |
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
answered Mar 27 at 21:52
HarperHarper
2,050413
Lol...You made me google Furries and Ashley Madison...
– Aganju
Mar 27 at 22:28
The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.
– Islay
Mar 28 at 21:09
add a comment |
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
answered Mar 27 at 21:52
HarperHarper
2,050413
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
answered Mar 27 at 21:52
HarperHarper
2,050413
answered Mar 27 at 21:52
HarperHarper
2,050413
answered Mar 27 at 21:52
HarperHarper
2,050413
answered Mar 27 at 21:52
HarperHarper
2,050413
2,050413
Lol...You made me google Furries and Ashley Madison...
– Aganju
Mar 27 at 22:28
The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.
– Islay
Mar 28 at 21:09
add a comment |
Lol...You made me google Furries and Ashley Madison...
– Aganju
Mar 27 at 22:28
The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.
– Islay
Mar 28 at 21:09
Lol...You made me google Furries and Ashley Madison...
– Aganju
Mar 27 at 22:28
Lol...You made me google Furries and Ashley Madison...
– Aganju
Mar 27 at 22:28
The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.
– Islay
Mar 28 at 21:09
The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.
– Islay
Mar 28 at 21:09
add a comment |
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
answered Mar 27 at 18:31
bvoyelrbvoyelr
105
One may not have the old password(s) anymore to load into LastPass.
– Islay
Mar 27 at 20:11
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
Mar 27 at 22:51
This is all covered in another answer (along with the weaknesses)
– schroeder♦
Mar 28 at 9:27
1
Do not use proprietary, nonfree, closed-source password managers.
– Spenser Truex
Mar 30 at 3:46
add a comment |
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
answered Mar 27 at 18:31
bvoyelrbvoyelr
105
One may not have the old password(s) anymore to load into LastPass.
– Islay
Mar 27 at 20:11
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
Mar 27 at 22:51
This is all covered in another answer (along with the weaknesses)
– schroeder♦
Mar 28 at 9:27
1
Do not use proprietary, nonfree, closed-source password managers.
– Spenser Truex
Mar 30 at 3:46
add a comment |
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
answered Mar 27 at 18:31
bvoyelrbvoyelr
105
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
answered Mar 27 at 18:31
bvoyelrbvoyelr
105
answered Mar 27 at 18:31
bvoyelrbvoyelr
105
answered Mar 27 at 18:31
bvoyelrbvoyelr
105
answered Mar 27 at 18:31
bvoyelrbvoyelr
105
105
One may not have the old password(s) anymore to load into LastPass.
– Islay
Mar 27 at 20:11
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
Mar 27 at 22:51
This is all covered in another answer (along with the weaknesses)
– schroeder♦
Mar 28 at 9:27
1
Do not use proprietary, nonfree, closed-source password managers.
– Spenser Truex
Mar 30 at 3:46
add a comment |
One may not have the old password(s) anymore to load into LastPass.
– Islay
Mar 27 at 20:11
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
Mar 27 at 22:51
This is all covered in another answer (along with the weaknesses)
– schroeder♦
Mar 28 at 9:27
1
Do not use proprietary, nonfree, closed-source password managers.
– Spenser Truex
Mar 30 at 3:46
One may not have the old password(s) anymore to load into LastPass.
– Islay
Mar 27 at 20:11
One may not have the old password(s) anymore to load into LastPass.
– Islay
Mar 27 at 20:11
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
Mar 27 at 22:51
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
Mar 27 at 22:51
This is all covered in another answer (along with the weaknesses)
– schroeder♦
Mar 28 at 9:27
This is all covered in another answer (along with the weaknesses)
– schroeder♦
Mar 28 at 9:27
1
1
Do not use proprietary, nonfree, closed-source password managers.
– Spenser Truex
Mar 30 at 3:46
Do not use proprietary, nonfree, closed-source password managers.
– Spenser Truex
Mar 30 at 3:46
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206218%2fhow-do-i-reset-passwords-on-multiple-websites-easily%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
10
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
Mar 27 at 20:21
1
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
Mar 27 at 20:33
2
Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?
– Fabio Turati
Mar 29 at 0:15
Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.
– Spenser Truex
Mar 30 at 3:42
I would think having an tool to automate the process would be a horrible risk. Now the hacker will be highly motivated to hack to the tool rather than the sites.
– MaxW
Mar 30 at 5:36