7

First and foremost, I am sorry for posting anonymously for security reasons. Exposing my identity might mean exposing my vulnerability, which comes from the problem decribed below.

I have accounts in websites A1,A2,A3,...etc with password X or derived from X in some pattern.

When registering at website B, I accidentally entered X in the username field. The registration flow was: I entered my email address, I clicked the link in the email they sent, and then they ask a username, which I mistook as a password field. They didn't ask any other information, so right after I entered X as username, I was registered.

The problem is:

  1. X, my password for A1,A2,A3,...etc is stored in plaintext, and
  2. in website B, username is public, which means everybody can see X.

One obvious solution is to change my passwords for A1,A2,A3,...etc. However, it can only be done to websites I remember. I might miss a lot of websites in which I have an account.

Website B doesn't seem to have a mechanism to change username or delete account. I have tried contacting them however there are issues with that:

  1. The technical support claims not to understand my explanation of the problem
  2. There might be some restrictions which prevents them from changing my username or deleting my account.

Is there any possible solution for this?

anonymous
  • 71
  • 2
  • 15
    I'm sorry you're in this situation. I would recommend changing passwords on all your sites and using a password manager to generate long random password unique to each site, this is a perfect occasion to switch over to using one. – Marc Dec 15 '17 at 20:01
  • 3
    I would suggest going through your e-mail history of all registration mails from different sites, to try to make a full list of all sites where you used (a derivation of) X, and change passwords (using a password manager) on all those sites. Those that you really can't remember are probably not important, so it doesn't matter (much) if your account gets stolen there, apart from the personal info you might have registered. Maybe you can also look at your browser history to find sites you may have registered to. – entrop-x Dec 20 '17 at 06:12
  • 1
    Did you input any information into site B that publicly links that account to your other accounts on other sites? That is, if your name on other sites is Tom, and your password is 1234, and your name on B is 1234 and you have some other password (maybe 1234 also, or maybe something else), that alone does not compromise the other accounts. Even someone guessing that 1234 was supposed to be a password does not automatically know you are Tom from site A1. – Aaron Dec 21 '17 at 18:18

2 Answers2

15

That sucks. I can't think of any other possible solutions beyond the ones you listed:

1) Keep at the technical support to delete the account (fully delete from all databases). This is probably your cleanest option.

2) Go around changing your password everywhere. I recognize this is a pain, and impractical / impossible for websites that you don't remember having an account on.

The main reason for posting an answer is to highlight your unfortunate situation as a warning to everybody else:

USE A PASSWORD MANAGER!!!!!!!!!!!!!!

This situation would have been completely avoided had you been using a password manager for all your accounts.

Had you pasted a newly-created random password into the account name field, then you go "oops", generate a new random password, and start the account registration over again (or live with a username like huWb9EIaemGZqVsp3aYV).

Even if - for some reason - you don't like random per-account passwords and you revealed a password used by multiple accounts, your password manager is a list of all your accounts, giving you a nice list of which are using that password and need to be cleaned up.

Finally, let's address:

I have accounts in websites A1,A2,A3,...etc with password X or derived from X in some pattern.

Your situation is a great example of why "a password derived from X in some patterns" is essentially equivalent to "a password X".

I wish people would stop trying to be clever with patterns, and just used properly random passwords. (sure, password managers have usability issues, but they are far less risky than memory-based tricks)

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 6
    I can only second this. The very fact that you know you are "exposed" is an indication that the "derived" passwords are cheap derivations that give you a mental sense of security ("hey, I DON'T use the same passwords on each site, I use a DERIVED one, how how how, I'm clever") but are meaningless. Passwords should have independent entropy. So indeed, use a good password manager (I prefer local ones such as Keepass, that are open source), and use it to generate independent, random pass phrases for each site. – entrop-x Dec 20 '17 at 06:07
7

Your password X on site A1 was compromised not when you accidentally submitted it as a username to site B, but as soon as you submitted it as a password to site A2, and additionally when you submitted it to site A3, etc. Any attempt to get site B to delete it simply increases the exposure by repeating it in emails, support tickets, etc.; it won't undo the exposure on site B much less on A2, A3, etc.

The only course of action to remedy this is to change your password on all of these sites to something unique to the site, preferably randomly generated and stored with a password manager. If you don't know all the sites you reused password X on, you at least need to determine which ones have accounts of sufficient importance that compromise would cause significant harm to you, and change those.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34