In Pursuit of Powerful, Puzzling, and Private Passwords
(Pardon the excessive alliteration in the title, I got a little carried away. 
)
Last night, I got a message from my instant-messaging program, indicating that it had been logged out of one of my IM accounts because I’d “logged in from another location.” I’m pretty sure that it was an error in the program (rather than someone else actually logging into my account), but it got me thinking, and I realized that my e-mail and IM passwords were pretty weak — I’d created most of them long before I came up with a way to remember difficult passwords, or started using a program to create and store them, and hadn’t thought about them since. In other words, most of those accounts used the same easily-memorable but very weak password.
(This isn’t as much of a problem as it sounds though. All of my important e-mail is GPG-encrypted. But it still isn’t a good idea.)
So I spent a couple hours this morning changing the passwords for all of my IM and e-mail accounts. The Skype one was already secure (because I’d opened it after I improved my password system), and one e-mail account was as well (because the company that runs it insists that I create a new password every few months). I was able to find and change my Yahoo and GMail/Google Talk passwords on the ‘net with minimal effort, and my primary e-mail account is on a server that I control, so that was simple enough as well. But then I ran into trouble.
After digging through the online help system, I discovered that ICQ only allows password changes through their client program, which (of course) is Windows-only. Heaving a put-upon sigh, I fired up my VMware Windows XP system and downloaded and installed it. After that, it was pretty easy, but I shouldn’t have had to do that, in my opinion.
I also discovered that ICQ limits you to eight characters at most in a password. That’s probably secure (my bank uses the same limit, and they can cut off Internet access to the account if someone starts pounding it with a dictionary attack to guess the password), but it’s irritating that I couldn’t use my preferred password length.
Next up: my MSN account. You would expect that you could go to the MSN homepage, log in, and somewhere in all the crap on it find a link to change your password. You’d be wrong, of course… Microsoft could never make things that easy. Nor would they provide any link to a FAQ or help page on how to do it, so after trying and failing to find any information on their site, I did a web search and discovered the way: you have to go to https://accountservices.passport.net/ instead. Of course, it should have been obvious! And they limit password length to sixteen characters, so I couldn’t use my preferred length there either. Grr!
After all that, changing my ISP e-mail password (the last one on my list) was fairly anticlimactic.
Anyway, they’re all changed to secure ones, so if anyone was able to log into my IM account last night, they should be locked out now.