Migrating to a password manager and deleting unused accounts - in numbers

Posted

As a web developer, I tend to have many more accounts on many more websites and systems than the average web user. If somebody were to gain access to these illegitimately, they could easily cause a lot of problems.

To prevent this troubling scenario, I decided it was time to take another look at my account security, as with my passwords being largely geared around how easy they were to remember, things simply weren’t as secure as they should be.

After doing my research and asking around, I decided a password manager was likely the best way to increase my account security. With this workflow, I only needed to remember one master password to access the system itself, and could then comfortably use highly secure, generated passwords for each individual account. I’m not going to say which password manager I decided on, as this isn’t a sponsored content post, but any research of your own will likely lead you to the same conclusion about which one password manager is the best.

Up until this point, any saved passwords were stored in Chrome’s own native password manager and I tried my best to commit to rest to memory. It had been this way since I first switched from Firefox around 2010, when at the time Chrome provided a faster and less system intensive experience. Oh, the irony in 2019.

Chrome uses a lot of ram

Paying little to no attention to this workflow meant I had literally hundreds of passwords in play. Many of these I theorised were either related to businesses I was no longer a part of, or for systems which no longer existed.

I decided to perform a password audit to determine what should be migrated to the password manager, and what could be safely discarded. This meant going through my Chrome passwords one by one from 2010 onwards, then searching my email accounts even further back for websites I had registered for in years past.

Here’s what I found:-

Live accounts vs dead accounts

Pie chart live accounts vs dead

Out of the 441 accounts which I was aware of, more than 50% of them (225) belonged to either systems from previous employment which I no longer had access to or systems which no longer existed at all.

The remaining 48% (216) either belonged to accounts which I still use on a regular basis, or zombie accounts from days gone by which I hadn’t used in years. In use or not, these were still live accounts which I could log into.

Here’s a few interesting tidbits I thought were worth sharing:-

Oldest registered account 2002 18 years ago nearly.
Number of bitcoin related accounts 5 I went through a phase.
Number of accounts for the same service 3 Burner accounts to take advantage of promotions.
Domain registrar accounts which held no active domains 2 Raise your hand if you’ve registered a domain for a side project which never came to fruition. 🤚
Dating website accounts 6 Dark times.

Password security

At this point, the passwords for the 216 active accounts were still unchanged - and insecure. After migrating them to my password manager, the software altered me to some valuable data points:-

Pie chart weak passwords vs identical passwords vs pwned passwords

To put it bluntly, my passwords sucked. 79 passwords were completely identical and 125 were considered weak because they were pattern based (eg: argos?luke666, amazon?luke666 and so on), so if one is stolen, it doesn’t take a genius to figure out the rest.

Most interestingly, 12 passwords were considered ‘pwned’. This means they’re flagged on haveibeenpwned.com as being included in at least one data breach, and could be used as part of a brute force attack by a hacker looking to access one of my accounts.

Password seen 1,660 times before

(Source: haveibeenpwned.com/Passwords)

With a little more digging, I discovered that altogether, accounts using my email addresses had been involved in 21 (!!!) different data breaches. Scary stuff.

Deleting unused accounts

Now that I had finished improving the strength of my passwords, I calculated how many of these live accounts I actually used on a regular basis.

Pie chart required vs unrequired accounts

Out of the 216 passwords I had migrated over to my password manager, nearly ⅓ (67) of those were for services and/or websites I no longer used or visited. Examples include:-

  • Plugins providing functionality for websites (Which today I’d just build myself)
  • Shopping websites where I’d made the odd purchase
  • Dating websites (I’m now married)
  • Forum accounts for gaming websites (This was a fun hobby back in 2005 🤷‍♂️)

This prompted me to ask a question:-

"Why should these businesses store my personal information for accounts I don’t even use."

The answer was “Well, they shouldn’t”.

So my next task was to close as many of these down as I could.

And with these words, so began the great account purge of 2019!

Execute order 66!

To make this process manageable, I created a spreadsheet to track the following data points:-

  • The current state of deletion for each unwanted account. Possible states include:-
    • Received no response to my request
    • Deletion in progress
    • Deleted
    • Business refuses to delete
  • The methods available for me to delete my account. The different methods include:-
    • Deleted via the website itself
    • Request submitted via a livechat request
    • Request submitted via an email / support ticket
    • Phonecall

Here is an extract from the spreadsheet:-

Password spreadsheet extract

And here’s the full breakdown of results:-

Unused account deletion method

Website (26)

First off, the good news. Nearly a half (26) of all the accounts I deleted were done so through the website itself (Account settings / control panel etc) without having to talk to anyone. This is always my preferred option as it’s the fastest and most convenient.

However, the bad news was that most of these 26 websites were for web dev related tools and services, rather than big corporations. Therefore, I don’t believe this to be any kind of true reflection on the ease of account deletion in 2019. Sorry!

Livechat (9)

Where available, if the website itself didn’t provide the means to delete my account, my next step was to use the website’s livechat functionality.

Whilst this is a relatively quick and convenient way to delete my account, in 2 instances I noticed that I wasn’t asked for any additional validation beyond the account email address. If I weren’t so law abiding, I could have caused a bit of trouble taking advantage of this lack of security protocol.

Email (19)

Websites beyond the web dev tooling industry typically required me to submit my account deletion requests via email - usually through a contact form, but sometimes by emailing a privacy@ email address. This was the most frustrating way of deleting accounts, as you aren’t guaranteed a quick response to your request. Sometimes businesses reply within the hour (yay), or not at all (boo).

Phonecall (4)

4 of the websites I visited during this exercise didn’t have the proper infrastructure in place to handle account deletions over live chat, so I was asked by the agent to call their customer help line instead.

Typically, this involved calling a premium number, being redirected across departments and listening to alot of elevator music and marketing spiel. Not ideal.

No response (7)

At the time of writing, it’s been 17 days since the last email requests for account deletion were sent out. As of today, there’s been 7 businesses which haven’t acknowledged my request in any way, shape or form. Bad, isn’t it?

Refused (2)

Strangely enough, I encountered 2 businesses which just outright refused to delete my data for various reasons. 1 mentioned that gambling laws were behind the refusal, whilst one US 🇺🇸🦅 based e-commerce business just cited “auditing” reasons.

Key takeaways

  • Auditing my passwords has been an interesting experience as it’s revealed just how many services, tools and businesses I’ve registered with over the years.
  • In reality, closing these accounts isn’t going to have much of a tangible effect on anything - certainly not on the amount of spam I receive. My email address is still going to be in the top secret spam database, which I’m going to presume is hidden beneath an active volcano somewhere.
  • That doesn’t mean it wasn’t a worthwhile exercise, as I like the idea of my details being in as few databases as possible - regardless if they’re being actively used or not.
  • Migrating to a password manager has provided much needed improvements to my account security workflow. From here on out, I’m always going to have a global view of the businesses I have an account with, which gives me a much better idea of where and how my data is being used.
  • Improving the strength of my passwords was also a worthwhile exercise, as I’m now much less likely to get hacked. I’d recommend you spend a day going through each of your accounts and update the password to something long, complex and unique. This may lead to lots and lots of password reset emails in your inbox, but it’s much more preferable to being ‘pwned’ 🤷‍♂️.

Topics