I am obviously not recommending that you change your passwords every day. This isn’t a cheesy military movie. The military is actually appallingly bad at Identity and Access Management, thanks to decades of outdated processes, an old world perimeter based mindset, and constantly rotating personnel.

Many military systems still require stringent password policies; ie EXACTLY 15 characters, with half the special characters excluded, password rotation every 90 days, little to no access to password vaults, forcing users to create and reuse weaker, easy to remember, and iterate on every 90 days, passwords.

Or worse, they have tons of generic local and admin accounts, taped to the bottom of the keyboard.

I was saying that many of us have a large list of accounts. Many of which are very old, and probably haven’t been updated in years. It would be a good practice to get into updating those passwords, at least up to the point in which you know, or suspect that they’ve been compromised. Unfortunately, with the LastPass breach, that would be approximately the point at which LastPass was breached. For ALL accounts.

Most password managers show when you’ve updated you password last, so you can go in and verify if you’ve changed your password since Oct/Nov, and reset any passwords you did not. Most of us have over 100 accounts in our vault, not including whatever accounts predate your vault, or weren’t imported from your browser, another password manager, etc.

Thats not a trivial amount of accounts to go through, so I recommended hitting it a little each day. It could take a month, but it’s more realistic than attempting to clean house in a weekend, and tearing your hair out 16 hours in.

Another useful thing to consider, is in addition to changing passwords, turning on MFA/2FA, you identify accounts you no longer actually have any use for. Change the password and activate 2FA anyway (because you can’t control how poorly they handle them) and then send a request to the holder that the account be disabled and all data be securely deleted. Companies have proven over and over again to be terrible at data retention/account deletion. So secure yourself first. But also notify them that you require them to delete your data. At bare minimum, it raises the concern to them that this is something people require (even if the issue never goes past their service desk). But it also gives you a strong case for a law suit if your data ISN’T properly sanitized, poorly secured, and eventually leaked.

It’s become a bizarre point of pride to brag about how unwieldy our digital lives have become. How huge our password vaults are. It would be an awesome time to practice some digital minimization. TRY at least, to actually shrink our footprint. Not just shove it all into a vault and never look at it again.

Read More