I’ve been a 1Password user for, well long enough that some of my passwords have “creation” dates of 2014. So, a while. And that means that, like all things humans store things in, occasionally it gets to be a mess in there. Once I realized that way more of my passwords were weak or had been leaked than not, I decided to take on the task of cleaning things up.
Here’s what I learned over two weekends of checking and changing the passwords stored in my password checker:
- Nobody tells you when a site you used to use goes under. You just discover that clicking the address for it goes to a 404 or that Safari can’t resolve the domain name at all. There are just under 100 passwords in the trash now because their sites are dead and gone.
- Similarly, nobody tells you that Foursquare, a site I used to keep track of places that I visited in a quasi-augmented-reality kind of way, would still be alive and kicking years after it gave up its gamification and became boring. Hello, Foursquare folks! I’m sure you’re not actually boring boring but I do wish I still had all that checkin stuff from my trip to London.
- As an industry, we haven’t settled on where our password settings go. Account? Settings? Security? Options? Passwords? I critiqued a menu the other day by saying that labeling one option “Junk drawer” instead of “more” would be easier for users to understand (and pissed off more than one designer in the process) but information architecture is very much about information scent, and having changed probably over 100 passwords I can tell you that we don’t have consistent information scent on “where I will find my password change”. If you point at 5 competitors and say “they’re all using X” I now know where I can find at least 50 that are not using that term.
- Some websites, especially if they’re associated with an app on your phone, straight up don’t offer editing your password. It’s a minority, but it’s real.
- While you weren’t paying attention, there’s a strong chance that some of the sites you rarely use implemented 2 factor authentication (2FA) without telling you. I have a password. It is valid. I typed it in. Then I had to go fetch a code out of my email to log in, even though I never opted in to this. Or a text message. Or immediately get prompted to set up 2FA. I mean, ultimately this was a good thing but also it added significant time to the process of changing a lot of passwords in a lot of places.
In sum total, obviously, doing this clean up was worth my time and effort, both because it cleaned out a lot of cruft and because it significantly increased the security of my accounts.
I’m not sure it’s the way I’d recommend doing a comparative analysis of password resetting, but it was certainly a lesson in all the good and bad ways to do it.