1

I have a lot (>1000) of credentials for website logins in my Chrome's password safe. Some of them are quite old (> 10 years) and have weak (dictionary) passwords. Some of the accounts have low value to me so that I could just consider them hacked/hackable and abandon them altogether. Other accounts have higher (historic) value to me and I would like to preserve them at least for some time. Because of the sheer amount of credentials, it seems unfeasible to update all accounts to secure passwords manually.

What would be the most secure process to update my credentials and which tools could help me with it? I would execute these tasks manually:

  • Get a list of all websites Chrome has credentials for
  • Request a password reset / update link for a given website
  • Update password to a random password on the website and in Chrome's password safe
  • Set up MFA (multi-factor authentication) where possible
Bengt
  • 111
  • 4
  • Although I understand your concern, this question isn't specifically about Info Security. It is either a 'product recommendation' question, or a question about how to script the automation process. – schroeder Oct 15 '14 at 15:09
  • Actually it was meant as a 'best practice' question. I can do it manually, script it or use a product myself, but I do not know what the most secure way is. – Bengt Oct 15 '14 at 15:18
  • Ah. Then could you update your question to reflect the 'process' instead of 'product' nature of your question? – schroeder Oct 15 '14 at 15:22
  • I updated my question, I hope the intent is clear now. – Bengt Oct 15 '14 at 15:27
  • To determine the "value" of an account please consider also the fact, that one hacked "low value" account could be used against your reputation (e.g. spreading bad stuff with it), not only getting the associated data. I have recently closed or secured my old accounts because of this (they were not nearly as numerous though) – Marcel Oct 15 '14 at 15:43
  • 1
    @Marcel From that perspective, every account that is traceable to my identity needs to be secured. That still leaves some (pseudonymous) accounts of low value. – Bengt Oct 15 '14 at 16:01
  • as part of the process, also consider enabling MFA on sites that support it (and where it fits your needs) – schroeder Oct 15 '14 at 16:21
  • @schroeder Thanks, I added a step to my manual process. – Bengt Oct 15 '14 at 16:36

1 Answers1

1

Use Lastpass and let it import all your passwords from Chrome. Then you have a nice database that can be shared, updated and exported easily.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
  • 1
    I don't trust that binary blob enough to give it network access and all my passwords. – Bengt Oct 15 '14 at 16:06
  • 3
    But you trusted Chrome to do it.. (and with the click of a button they're in plaintext) – cutrightjm Oct 15 '14 at 18:04
  • All relevant parts of Chrome are open source and well audited. I got no results when I googled error messages from lastpass, so it seems sparsely tested. – Bengt Oct 15 '14 at 18:12
  • @Bengt in the end this really comes down to personal opinion but I definitely trust lastpass more than Chrome. Chrome does not protect passwords in any way, so you might as well write them down on paper. With lastpass, it's at least protected by a master password and strong encryption. The CEO of lastpass made an interesting post here on stackexchange: https://security.stackexchange.com/questions/15822/how-can-i-be-sure-lastpass-really-cant-access-my-passwords/15846#15846 – tlng05 Oct 16 '14 at 00:31
  • @user54791 [Chrome stores credentials encrypted by default.](https://support.google.com/chrome/answer/1181035?hl=en) – Bengt Oct 16 '14 at 01:15
  • @Bengt that's true if you sync your account with Google. See http://security.stackexchange.com/questions/40884/is-saving-passwords-in-chrome-as-safe-as-using-lastpass-if-you-leave-it-signed-i and http://lifehacker.com/5944969/which-password-manager-is-the-most-secure - in the end it's up to you to decide which is the more secure option. – tlng05 Oct 16 '14 at 01:31
  • With my credentials already in Chrome, Lastpass can only add insecurities, however small. There must be a way that does not require such a complex tool. – Bengt Oct 16 '14 at 01:58
  • You don't mention what OS you use. For Windows, Keepass has a browser addon. Maybe you trust that more. I use both Keepass and Lastpass, LP for not too critical stuff, KP for the critical things like logins that can cost me money. – SPRBRN Oct 16 '14 at 07:27