Forums - Gaming Discussion - How to Audit and Update your Passwords

Because of the recent PSN scare I figure it's as good as time as any to post this guide again.  It will take you about a while evening to get everything setup but it's worth it in the long run.  It's an incredibly convenient tool (it lets you auto login into site you have saved) and it's easy to make it so you have a very strong unique password for every site.

[Source Lifehacker]

How to Audit and Update Your Passwords

When something like a password database compromise happens, it's a good time to reassess your online security. With the right tool, I've reset my Gawker Media password, and all others like it, in 3 minutes, from a train. Here's how.

Portions of this post originally ran in a previously published Intermediate Guide to Mastering Passwords with LastPass. We thought it was a good time to jump back into top-level password control and password changes.

The LastPass browser extension is a free password manager that securely stores, generates, and audits your passwords. You can learn more about LastPass here, or head to the LastPass home page. Here's how to use it to hunt down passwords you're using across various sites, as well as to generate new, more secure passwords.

Update: Reader Rufo informs us that 1Password offers a possibly more direct means of searching out a password you used and finding where else you have it registered. We recommend you do that for your Gawker Media password, or any other password you believe has been compromised.

Step 1: Install LastPass, and Let It Save Your Passwords

The first time you install LastPass, it will, at some point in the setup wizard, prompt you to import saved passwords from your browser. Assuming you've been allowing your browser to save your passwords, let LastPass import all of these passwords.

Note: Many of you are understandably wary of handing over all your passwords to a third party service. Under the circumstances, we can't blame you. Take a look at LastPass' security page and security FAQ for a better idea of how the service works.

Step 2: Audit and Update Your Passwords

If you give LastPass permission to run through your passwords, the app can run a "security challenge" and show you which passwords are decent, which are pretty much asking to be hacked, and provide direct links to where you can fix them. Most importantly right now, you'll want to update the password on sites which shared your Gawker Media password. So click the LastPass button in your browser, then click on Tools > Security Check. (Or just go here.) Click the Start the Challenge button to get started.

LastPass will now scan all your saved passwords in a few seconds. When it's complete, you'll see a report detailing all your analyzed sites, sorted by duplicate passwords. The most important thing is to find the password you used at the compromised site and see where else you used it. If you also used that password for Gmail, Twitter, Facebook, or elsewhere, for example, anyone with your username can give it a try. Change that password anywhere you used it. Click the Show All Passwords link on the top right of the Analyzed Sites table, then find the sites that used the same password as you used here. Those are the ones you want to change first.

Point your browser to each site where you'd used this password and find its password update tool. One of LastPass' built-in features detects password changes forms. In other words, if you log into a web site and change your password, it notices a field asking for your current password, but also asking for another password. LastPass can do one of two things here: It can help you generate a secure password, using rules and defaults of your choice (recommended—just click on LastPass, then select Tools > Generate Secure Password), or it can simply watch you type in your new password. Either way, once you update your password, LastPass will offer to update it in the LastPass database.

If you let LastPass help you generate your new secure password, you'll find it's very good at fitting exactly the parameters you need and still offering some very random characters to fill in. So go ahead and change the crucial password first, then move on to an audit. You may be prompted to change your password on a few other sites that match that username and login—in the case of Gawker Media's own database compromise, you'll probably be asked to save the new password for Gizmodo, Gawker, Lifehacker—anywhere you comment with your username. This is a good, time-saving thing.

Step 3: Second-Level Security Updates

After you've changed your password here at Gawker Media and at other sites that had used the same password, you may want to take some other security measures, too. Open up your LastPass vault (click LastPass > My LastPass Vault), then type the username you used for that compromised account, to catch any other sites where you may have used a too-similar user/pass combo.

Finally, there's a painful lesson to be learned this fiasco: Don't use weak passwords, don't use the same passwords across different sites, and don't let your friends or relatives do as such either. We're keenly aware of just how much frustration this is causing, but some of it can hopefully be channeled into a better chance at leaving us all better protected in the future.



Around the Network

I was planning on posting something like this. After the hack, I finally decided it was time to switch over, so I've been updating passwords and what not for the last few hours.



I wasn't affected by the PSN thing since I dont have a ps3 yet, but this looks like a good idea to do any ways. Thanks for the info



Thanks for posting this.



I'm somewhat of a know nothing on these matters so at the risk of looking stupid I have to ask- am I any safer since I had a debit card on psn and not a credit card?



ǝןdɯıs ʇı dǝǝʞ oʇ ǝʞıן ı ʍouʞ noʎ 

Ask me about being an elitist jerk

Time for hype

Around the Network
leatherhat said:

I'm somewhat of a know nothing on these matters so at the risk of looking stupid I have to ask- am I any safer since I had a debit card on psn and not a credit card?


I would have them send you a knew one. If they got your pin you are far more risk. If they didn't you are at less risk. But get a new card now.



thranx said:
leatherhat said:

I'm somewhat of a know nothing on these matters so at the risk of looking stupid I have to ask- am I any safer since I had a debit card on psn and not a credit card?


I would have them send you a knew one. If they got your pin you are far more risk. If they didn't you are at less risk. But get a new card now.


Yeah I was going to do that, thanks for the advice. 



ǝןdɯıs ʇı dǝǝʞ oʇ ǝʞıן ı ʍouʞ noʎ 

Ask me about being an elitist jerk

Time for hype

Thank you.

Finding that LastPass isn't very stable in Safari, however. 



ramuji
www.ramuji.com
Nintendo Network ID: ramuji
Wii Friend Code: 8543-1141-9403-8457
3DS Friend Code: 1633-4130-0140
PS3 ID: ramuji_69

Pretty sure I never bought anything on there.

How did I get flOw? Was it free on some weekend?



For those of you that don't know, Lastpass can also do 2-factor authentication with devices like Yubikeys.  It's a good way of making sure you are the only one that can access your passwords.