How to Reset Passwords on Multiple Websites Easily?Sending password reset links in emailWhich is more secure for a reset password feature - security questions or reset link in email?How does Password reset key work ?Why are one time password reset links safer than one time passwords?Password reset mail - reset password againHow to reset account passwords after falling victim to password reuse?Reset Password Link input parameters - where do place?self reset password with MFAIs it helpful to slow down password reset functionHow to reset passwords without emailed reset link?
How do I rename a Linux host without needing to reboot for the rename to take effect?
Do the temporary hit points from the Battlerager barbarian's Reckless Abandon stack if I make multiple attacks on my turn?
Arithmetic mean geometric mean inequality unclear
Unreliable Magic - Is it worth it?
Where does the Z80 processor start executing from?
Short story about space worker geeks who zone out by 'listening' to radiation from stars
Escape a backup date in a file name
Replace character with another only if repeated and not part of a word
How does Loki do this?
What does "I’d sit this one out, Cap," imply or mean in the context?
What can we do to stop prior company from asking us questions?
Shortcut for value of this indefinite integral?
How can I get through very long and very dry, but also very useful technical documents when learning a new tool?
Increase performance creating Mandelbrot set in python
Why not increase contact surface when reentering the atmosphere?
Two monoidal structures and copowering
How can I quit an app using Terminal?
How to safely derail a train during transit?
Why escape if the_content isnt?
Is a stroke of luck acceptable after a series of unfavorable events?
How easy is it to start Magic from scratch?
Class Action - which options I have?
Do sorcerers' Subtle Spells require a skill check to be unseen?
How does the UK government determine the size of a mandate?
How to Reset Passwords on Multiple Websites Easily?
Sending password reset links in emailWhich is more secure for a reset password feature - security questions or reset link in email?How does Password reset key work ?Why are one time password reset links safer than one time passwords?Password reset mail - reset password againHow to reset account passwords after falling victim to password reuse?Reset Password Link input parameters - where do place?self reset password with MFAIs it helpful to slow down password reset functionHow to reset passwords without emailed reset link?
One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned)
I don't remember on which websites I used that email address for registration but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.
This is particularly important as I was not using a password manager at the time and may have reused passwords.
Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?
password-reset have-i-been-pwned
add a comment |
One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned)
I don't remember on which websites I used that email address for registration but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.
This is particularly important as I was not using a password manager at the time and may have reused passwords.
Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?
password-reset have-i-been-pwned
2
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
10 hours ago
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
9 hours ago
add a comment |
One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned)
I don't remember on which websites I used that email address for registration but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.
This is particularly important as I was not using a password manager at the time and may have reused passwords.
Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?
password-reset have-i-been-pwned
One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned)
I don't remember on which websites I used that email address for registration but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.
This is particularly important as I was not using a password manager at the time and may have reused passwords.
Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?
password-reset have-i-been-pwned
password-reset have-i-been-pwned
edited 9 hours ago
Islay
asked 19 hours ago
IslayIslay
21817
21817
2
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
10 hours ago
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
9 hours ago
add a comment |
2
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
10 hours ago
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
9 hours ago
2
2
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
10 hours ago
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
10 hours ago
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
9 hours ago
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
9 hours ago
add a comment |
6 Answers
6
active
oldest
votes
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
add a comment |
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
@schroeder if there was a halfway decent solution to this problem, bad guys would abuse it for denial of service and other misadventures. This is why this problem is so difficult and unlikely to ever be satisfactorily solved.
– emory
16 hours ago
2
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
16 hours ago
1
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
16 hours ago
3
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
16 hours ago
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
10 hours ago
|
show 1 more comment
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
New contributor
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
16 hours ago
3
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– user202976
16 hours ago
I would say "almost allways, your browser is your password manager."
– ThoriumBR
16 hours ago
add a comment |
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
Lol...You made me google Furries and Ashley Madison...
– Aganju
8 hours ago
add a comment |
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
New contributor
One may not have the old password(s) anymore to load into LastPass.
– Islay
10 hours ago
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
7 hours ago
add a comment |
You can use a fancy password manager like @schroeder suggested, but what if you aren't using that already and you need to change things now? You can prioritize!
I would do this:
- Panic 😱
- Start with my email! Since email is used for password recovery and can be used to open up anything else. After this my stress level would already be way down. Panic at 60%. 😵
- Next do anything financial. Because I don't want anyone touching my money. Panic at 40%.😧
- Then anything else that is important for my own personal privacy. Panic below 20%. 😓
- Everything else. Panic subsided. 😌
Basically, what the accepted answer by @Matthew already suggested i.e. look at the top 50 websites, prioritise based on which ones hold more sensitive info/privileges and manually reset passwords.
– Islay
10 hours ago
@Islay I suppose, if that list of websites will help remind you what you are registered with. I don't have trouble remembering the websites that are most critical to me, so I would only need that list at step 5 in my answer, if at all.
– adjenks
7 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206218%2fhow-to-reset-passwords-on-multiple-websites-easily%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
add a comment |
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
add a comment |
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.
Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.
answered 18 hours ago
MatthewMatthew
24.8k77991
24.8k77991
add a comment |
add a comment |
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
@schroeder if there was a halfway decent solution to this problem, bad guys would abuse it for denial of service and other misadventures. This is why this problem is so difficult and unlikely to ever be satisfactorily solved.
– emory
16 hours ago
2
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
16 hours ago
1
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
16 hours ago
3
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
16 hours ago
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
10 hours ago
|
show 1 more comment
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
@schroeder if there was a halfway decent solution to this problem, bad guys would abuse it for denial of service and other misadventures. This is why this problem is so difficult and unlikely to ever be satisfactorily solved.
– emory
16 hours ago
2
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
16 hours ago
1
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
16 hours ago
3
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
16 hours ago
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
10 hours ago
|
show 1 more comment
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.
For example: https://helpdesk.lastpass.com/generating-a-password/
Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.
In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).
answered 18 hours ago
schroeder♦schroeder
78.2k30174210
78.2k30174210
@schroeder if there was a halfway decent solution to this problem, bad guys would abuse it for denial of service and other misadventures. This is why this problem is so difficult and unlikely to ever be satisfactorily solved.
– emory
16 hours ago
2
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
16 hours ago
1
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
16 hours ago
3
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
16 hours ago
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
10 hours ago
|
show 1 more comment
@schroeder if there was a halfway decent solution to this problem, bad guys would abuse it for denial of service and other misadventures. This is why this problem is so difficult and unlikely to ever be satisfactorily solved.
– emory
16 hours ago
2
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
16 hours ago
1
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
16 hours ago
3
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
16 hours ago
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
10 hours ago
@schroeder if there was a halfway decent solution to this problem, bad guys would abuse it for denial of service and other misadventures. This is why this problem is so difficult and unlikely to ever be satisfactorily solved.
– emory
16 hours ago
@schroeder if there was a halfway decent solution to this problem, bad guys would abuse it for denial of service and other misadventures. This is why this problem is so difficult and unlikely to ever be satisfactorily solved.
– emory
16 hours ago
2
2
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
16 hours ago
@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.
– schroeder♦
16 hours ago
1
1
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
16 hours ago
As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?
– emory
16 hours ago
3
3
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
16 hours ago
@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.
– schroeder♦
16 hours ago
2
2
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
10 hours ago
@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.
– Islay
10 hours ago
|
show 1 more comment
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
New contributor
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
16 hours ago
3
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– user202976
16 hours ago
I would say "almost allways, your browser is your password manager."
– ThoriumBR
16 hours ago
add a comment |
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
New contributor
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
16 hours ago
3
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– user202976
16 hours ago
I would say "almost allways, your browser is your password manager."
– ThoriumBR
16 hours ago
add a comment |
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
New contributor
One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.
This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.
Obviously, this only works if you use the browser's "save password" feature.
New contributor
edited 16 hours ago
schroeder♦
78.2k30174210
78.2k30174210
New contributor
answered 16 hours ago
user202976user202976
211
211
New contributor
New contributor
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
16 hours ago
3
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– user202976
16 hours ago
I would say "almost allways, your browser is your password manager."
– ThoriumBR
16 hours ago
add a comment |
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
16 hours ago
3
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– user202976
16 hours ago
I would say "almost allways, your browser is your password manager."
– ThoriumBR
16 hours ago
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
16 hours ago
So, in other words, look in your password manager. And sometimes, your password manager is your browser.
– schroeder♦
16 hours ago
3
3
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– user202976
16 hours ago
True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on
– user202976
16 hours ago
I would say "almost allways, your browser is your password manager."
– ThoriumBR
16 hours ago
I would say "almost allways, your browser is your password manager."
– ThoriumBR
16 hours ago
add a comment |
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
Lol...You made me google Furries and Ashley Madison...
– Aganju
8 hours ago
add a comment |
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
Lol...You made me google Furries and Ashley Madison...
– Aganju
8 hours ago
add a comment |
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.
And only you know where you might have accounts.
For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.
But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.
If you think you might have used a site in the past, why not just try your old credential?
Why not just spam every website with password reset requests?
They're not going to cooperate with large scale automated requests of this type.
First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.
Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.
Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.
answered 8 hours ago
HarperHarper
2,020413
2,020413
Lol...You made me google Furries and Ashley Madison...
– Aganju
8 hours ago
add a comment |
Lol...You made me google Furries and Ashley Madison...
– Aganju
8 hours ago
Lol...You made me google Furries and Ashley Madison...
– Aganju
8 hours ago
Lol...You made me google Furries and Ashley Madison...
– Aganju
8 hours ago
add a comment |
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
New contributor
One may not have the old password(s) anymore to load into LastPass.
– Islay
10 hours ago
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
7 hours ago
add a comment |
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
New contributor
One may not have the old password(s) anymore to load into LastPass.
– Islay
10 hours ago
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
7 hours ago
add a comment |
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
New contributor
You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.
In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.
New contributor
New contributor
answered 12 hours ago
bvoyelrbvoyelr
101
101
New contributor
New contributor
One may not have the old password(s) anymore to load into LastPass.
– Islay
10 hours ago
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
7 hours ago
add a comment |
One may not have the old password(s) anymore to load into LastPass.
– Islay
10 hours ago
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
7 hours ago
One may not have the old password(s) anymore to load into LastPass.
– Islay
10 hours ago
One may not have the old password(s) anymore to load into LastPass.
– Islay
10 hours ago
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
7 hours ago
Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)
– Lichtbringer
7 hours ago
add a comment |
You can use a fancy password manager like @schroeder suggested, but what if you aren't using that already and you need to change things now? You can prioritize!
I would do this:
- Panic 😱
- Start with my email! Since email is used for password recovery and can be used to open up anything else. After this my stress level would already be way down. Panic at 60%. 😵
- Next do anything financial. Because I don't want anyone touching my money. Panic at 40%.😧
- Then anything else that is important for my own personal privacy. Panic below 20%. 😓
- Everything else. Panic subsided. 😌
Basically, what the accepted answer by @Matthew already suggested i.e. look at the top 50 websites, prioritise based on which ones hold more sensitive info/privileges and manually reset passwords.
– Islay
10 hours ago
@Islay I suppose, if that list of websites will help remind you what you are registered with. I don't have trouble remembering the websites that are most critical to me, so I would only need that list at step 5 in my answer, if at all.
– adjenks
7 hours ago
add a comment |
You can use a fancy password manager like @schroeder suggested, but what if you aren't using that already and you need to change things now? You can prioritize!
I would do this:
- Panic 😱
- Start with my email! Since email is used for password recovery and can be used to open up anything else. After this my stress level would already be way down. Panic at 60%. 😵
- Next do anything financial. Because I don't want anyone touching my money. Panic at 40%.😧
- Then anything else that is important for my own personal privacy. Panic below 20%. 😓
- Everything else. Panic subsided. 😌
Basically, what the accepted answer by @Matthew already suggested i.e. look at the top 50 websites, prioritise based on which ones hold more sensitive info/privileges and manually reset passwords.
– Islay
10 hours ago
@Islay I suppose, if that list of websites will help remind you what you are registered with. I don't have trouble remembering the websites that are most critical to me, so I would only need that list at step 5 in my answer, if at all.
– adjenks
7 hours ago
add a comment |
You can use a fancy password manager like @schroeder suggested, but what if you aren't using that already and you need to change things now? You can prioritize!
I would do this:
- Panic 😱
- Start with my email! Since email is used for password recovery and can be used to open up anything else. After this my stress level would already be way down. Panic at 60%. 😵
- Next do anything financial. Because I don't want anyone touching my money. Panic at 40%.😧
- Then anything else that is important for my own personal privacy. Panic below 20%. 😓
- Everything else. Panic subsided. 😌
You can use a fancy password manager like @schroeder suggested, but what if you aren't using that already and you need to change things now? You can prioritize!
I would do this:
- Panic 😱
- Start with my email! Since email is used for password recovery and can be used to open up anything else. After this my stress level would already be way down. Panic at 60%. 😵
- Next do anything financial. Because I don't want anyone touching my money. Panic at 40%.😧
- Then anything else that is important for my own personal privacy. Panic below 20%. 😓
- Everything else. Panic subsided. 😌
answered 13 hours ago
adjenksadjenks
1043
1043
Basically, what the accepted answer by @Matthew already suggested i.e. look at the top 50 websites, prioritise based on which ones hold more sensitive info/privileges and manually reset passwords.
– Islay
10 hours ago
@Islay I suppose, if that list of websites will help remind you what you are registered with. I don't have trouble remembering the websites that are most critical to me, so I would only need that list at step 5 in my answer, if at all.
– adjenks
7 hours ago
add a comment |
Basically, what the accepted answer by @Matthew already suggested i.e. look at the top 50 websites, prioritise based on which ones hold more sensitive info/privileges and manually reset passwords.
– Islay
10 hours ago
@Islay I suppose, if that list of websites will help remind you what you are registered with. I don't have trouble remembering the websites that are most critical to me, so I would only need that list at step 5 in my answer, if at all.
– adjenks
7 hours ago
Basically, what the accepted answer by @Matthew already suggested i.e. look at the top 50 websites, prioritise based on which ones hold more sensitive info/privileges and manually reset passwords.
– Islay
10 hours ago
Basically, what the accepted answer by @Matthew already suggested i.e. look at the top 50 websites, prioritise based on which ones hold more sensitive info/privileges and manually reset passwords.
– Islay
10 hours ago
@Islay I suppose, if that list of websites will help remind you what you are registered with. I don't have trouble remembering the websites that are most critical to me, so I would only need that list at step 5 in my answer, if at all.
– adjenks
7 hours ago
@Islay I suppose, if that list of websites will help remind you what you are registered with. I don't have trouble remembering the websites that are most critical to me, so I would only need that list at step 5 in my answer, if at all.
– adjenks
7 hours ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206218%2fhow-to-reset-passwords-on-multiple-websites-easily%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.
– Harper
10 hours ago
@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")
– Islay
9 hours ago