How do I revamp my unsecure (and HUGE) password set?

I’ve been putting this off too long. Almost all my passwords would probably be sorta easy to brute force. The thought of that is what finally got me to go with Bitwarden.

However, after the first site changing password to something secure, removing the autofill from Firefox, and setting the login with Bitwarden (and accidentally screwing up and needing to go through a password reset) I have the feeling that this is going to take all day and be a massive headache.

Am I missing something that could simplify this process?

Do not even try to do all passwords all at once. This is just too annoying. You will hate Bitwarden before you even got to the half although it is not even Bitwarden’s fault.

Instead start it like this:
Whenever you visit one of the sites you go to on a daily bases or run one of those apps you use quite often then change the password. If in that moment you have very little time or are under stress do not change it. You need to focus when you change a password.

Once you are done with these and whenever you have some time: Go through the list and start changing the passwords for those things that are important to you.

Next (and by now you hopefully already have switched to premium) log in at https://vault.bitwarden.com then go to Tools and use the Exposed Passwords Report. Again start with the important accounts. When done use the Reused Passwords Report and some time later finally take a look at the Weak Passwords Report. Perhaps use these reports in a different order.

Much, much later when you have reached this point there are probably very few simple passwords left.

This can take weeks. Depending on the amount of passwords perhaps even months. But the good thing about this: There is no-one pushing you.

Some more hints:

  • Use the Password Generator. Let it create long (14+x characters) and complicated passwords that have a mix of small and capital letters, numbers and special characters.

  • First make the change inside Bitwarden and then on that site or in the app. If something goes wrong you can look up the old password in the Password History at the bottom of every item:

image

If instead you did it the other way round (=first changing the password on the site or in the app) and Bitwarden - for whatever reason - closed its window before you hit the save-button: Do not panic. Instead go to the Password Generator and look up that password. The Password Generator also has a Password History:

image

  • While you are at it: Activate 2FA wherever possible. Use more than just a single 2FA-method. Test all methods before you trust them. I am using Duo (my favorite), Authy and I also have a Yubikey 5 NFC.

  • Make sure to have a long and secure Master Password to access Bitwarden. Using a Passphrase instead is a good alternative. If English is not your first language you still can make use of the Password Generator: Just translate the passphrase.

image

  • Do not even try to remember any of those passwords. There is one exception: Your Master Password. Make sure not to loose it. And remember: The brain might not be the best place to store it. If you loose your password there is no-one in the world that can help you. That includes Bitwarden. They have no clue what your password is and they cannot reset it. You might want to take a look at the so-called Emergency Access. This however has to be activated BEFORE you actually need it.
1 Like

Peter_H has done an excellent reply, which should be kept as a guide in my view. It is great.

All I’ll add is the order which I did things in, which you might want to consider. My passwords were weak and re-used, though only one login is on the list of exposed logins.

  1. email passwords - these are the most important as they are often used to reset other accounts. I switched a Google one to Advanced Protection as part of this, as extra protection

  2. financial account passwords - these can be frustrating, as banks are useless at information security. One of my banks is for the chop eventually, as they only allow up to 15 characters for the password. I’m not one for excessively long passwords, but that is a bit too short for a financial site.

  3. after doing those, as a priority, I would follow Peter_H’s advice, or some other system of prioritisation if you prefer.

This will take time, it took me several weeks until I had slowly worked through all of mine. The good news is that you should have to only do this once. If you decide to move password manager (I think Bitwarden is the best, but accept that not everyone thinks this, each to their own) then the passwords can be exported and imported into another one.