Neil Turner's Blog

Blogging about technology and randomness since 2002

The big post-Heartbleed password change

Screenshot of the web page

Following last week’s revelations about the Heartbleed bug, I spent quite a bit of time over the weekend changing passwords. Not all of them – I’ve been using this list of affected sites from Mashable – but quite a lot.

At the same time I’ve also taken the opportunity to audit other passwords from non-affected sites. I use 1Password as my password manager, on OS X, Windows and iOS, and it has a ‘Password Audit’ feature that shows weak, old and duplicated passwords. Ashamedly, I had quite a few of all three.

As a reminder, the generally accepted guidelines for strong passwords are as follows:

  1. As long as possible
  2. Using a mixture of lower and uppercase letters, numbers and special characters
  3. Are unique
  4. Avoiding any words that could appear in a dictionary

Using a password manager is therefore a very good idea, as they can usually generate strong passwords that meet those criteria, and offer to remember them for you. I tend to go for 24 character passwords like ‘3&yjGJNrE)Up2no8W:iNduYg’, to give an example of one that 1Password has just given me, and there’s no way that I could memorise that. The only passwords I have committed to memory are my 1Password Master Password, for obvious reasons, and my logins for Google, iTunes and Facebook. Whilst they satisfy the first three criteria above, they do use actual words – albeit with numbers and symbols replacing some of the letters – because these are the ones I use the most frequently. They’re still ‘strong’ according to most password meters.

Having said all of that, your passwords also have to fit within the constraints set by the web sites with which you have accounts. Whilst most of the sites I’ve been using have no problem with 24 character passwords, and are happy to accept symbols, not all of them are. Quite a few would only take passwords up to 16 characters, and others won’t accept special characters – or both. In which case, I had to make do with weaker passwords, but at least they’ll be unique.

There are, however, two web sites that were significantly worse than others. hmvdigital doesn’t let users change their password, unless you contact customer services. The worst offender, however is the Intercontinental Hotels Group, who owns the Holiday Inn and Crowne Plaza chains. If you’re in their IHG Rewards scheme – I am, and I have gold membership – then your password is a 4 digit numeric PIN. So there are only 10,000 possible password combinations, which could be cracked within minutes by an average home desktop computer. In 2014, this is horrifying, and for this reason, if you use IHG’s hotels, please don’t store your credit card details with them.

On the other hand, it’s been enlightening seeing which sites have removed my accounts for inactivity. For example, have deleted my account, presumably because my last purchase from there was circa 2005. And other sites simply don’t exist anymore.


  1. > hmvdigital doesn’t let users change their password, unless you contact customer services.

    What the heck – seriously!? Good grief.

    As for IHG – playing devil’s advocate for a moment – is there any suggestion they limit password attempts, for instance: only one attempt at a time (no parallel threads); maximum three attempts then lock?