How do I reset passwords on multiple websites easily? The Next CEO of Stack OverflowAPI to change passwords?Sending password reset links in emailWhich is more secure for a reset password feature - security questions or reset link in email?How does Password reset key work ?Why are one time password reset links safer than one time passwords?Password reset mail - reset password againHow to reset account passwords after falling victim to password reuse?Reset Password Link input parameters - where do place?self reset password with MFAIs it helpful to slow down password reset functionHow to reset passwords without emailed reset link?

Would this house-rule that treats advantage as a +1 to the roll instead (and disadvantage as -1) and allows them to stack be balanced?

How did people program for Consoles with multiple CPUs?

Several mode to write the symbol of a vector

What happened in Rome, when the western empire "fell"?

Why does the UK parliament need a vote on the political declaration?

Rotate a column

Written every which way

Sending manuscript to multiple publishers

What does convergence in distribution "in the Gromov–Hausdorff" sense mean?

If a black hole is created from light, can this black hole then move at speed of light?

In excess I'm lethal

Contours of a clandestine nature

Why do airplanes bank sharply to the right after air-to-air refueling?

Help understanding this unsettling image of Titan, Epimetheus, and Saturn's rings?

How do I reset passwords on multiple websites easily?

Can I run my washing machine drain line into a condensate pump so it drains better?

Inappropriate reference requests from Journal reviewers

How to safely derail a train during transit?

Are there any limitations on attacking while grappling?

Is micro rebar a better way to reinforce concrete than rebar?

How do we know the LHC results are robust?

What flight has the highest ratio of time difference to flight time?

Is it possible to search for a directory/file combination?

Interfacing a button to MCU (and PC) with 50m long cable



How do I reset passwords on multiple websites easily?



The Next CEO of Stack OverflowAPI to change passwords?Sending password reset links in emailWhich is more secure for a reset password feature - security questions or reset link in email?How does Password reset key work ?Why are one time password reset links safer than one time passwords?Password reset mail - reset password againHow to reset account passwords after falling victim to password reuse?Reset Password Link input parameters - where do place?self reset password with MFAIs it helpful to slow down password reset functionHow to reset passwords without emailed reset link?










33















One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned).



I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.



This is particularly important as I was not using a password manager at the time and may have reused passwords.



Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?










share|improve this question



















  • 9





    I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.

    – Harper
    2 days ago







  • 1





    @Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")

    – Islay
    2 days ago






  • 1





    Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?

    – Fabio Turati
    yesterday












  • Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.

    – Spenser Truex
    26 mins ago
















33















One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned).



I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.



This is particularly important as I was not using a password manager at the time and may have reused passwords.



Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?










share|improve this question



















  • 9





    I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.

    – Harper
    2 days ago







  • 1





    @Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")

    – Islay
    2 days ago






  • 1





    Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?

    – Fabio Turati
    yesterday












  • Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.

    – Spenser Truex
    26 mins ago














33












33








33


8






One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned).



I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.



This is particularly important as I was not using a password manager at the time and may have reused passwords.



Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?










share|improve this question
















One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned).



I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could include: Facebook, Google, Amazon, eBay, Paypal, etc. - basically the top N commonly-used or sensitive web applications/platforms.



This is particularly important as I was not using a password manager at the time and may have reused passwords.



Is there an existing way to automate initiating password resets, mainly by requesting password reset emails, on common platforms given a single email address that I have access to?







password-reset have-i-been-pwned






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 43 mins ago









Peter Mortensen

70449




70449










asked 2 days ago









IslayIslay

29637




29637







  • 9





    I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.

    – Harper
    2 days ago







  • 1





    @Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")

    – Islay
    2 days ago






  • 1





    Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?

    – Fabio Turati
    yesterday












  • Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.

    – Spenser Truex
    26 mins ago













  • 9





    I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.

    – Harper
    2 days ago







  • 1





    @Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")

    – Islay
    2 days ago






  • 1





    Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?

    – Fabio Turati
    yesterday












  • Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.

    – Spenser Truex
    26 mins ago








9




9





I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.

– Harper
2 days ago






I don't see how that could work so easily as all that. You have way, way more passwords than you think. I thought I had "maybe 20" until I made a spreadsheet and came to discover I had 130. And I'm not a "signer-up" and actively try to keep that number down. Further to that, I don't agree with your idea of "top sites", you forgot Amazon, eBay and Paypal, see how it is? There are so many sites.

– Harper
2 days ago





1




1





@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")

– Islay
2 days ago





@Harper Indeed, the number of registered sites is likely to be much bigger than anticipated. Even if not on all, my concern is how to automate password resets on at least the top N popular or critical websites. And yes, Amazon and eBay would/should be included in those - I don't claim to have that list ready or that it contains only the 5 entries I mentioned in the question (hence the "etc.")

– Islay
2 days ago




1




1





Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?

– Fabio Turati
yesterday






Related: API to change passwords?, and cross-site duplicate: What's an efficient way to change my 200+ account passwords?

– Fabio Turati
yesterday














Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.

– Spenser Truex
26 mins ago






Automating them would only be worthwhile if you changed them regularly. You would get more security for less effort by changing them once and (continuing) using a password manager.

– Spenser Truex
26 mins ago











6 Answers
6






active

oldest

votes


















34














No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.



Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.






share|improve this answer


















  • 7





    I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).

    – BlueCacti
    yesterday











  • @BlueCacti: Definitely. That's my current setup since the past few years already.

    – Islay
    yesterday











  • And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.

    – Joel Coehoorn
    14 hours ago



















44














This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.



For example: https://helpdesk.lastpass.com/generating-a-password/




Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.




In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).






share|improve this answer


















  • 3





    @emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.

    – schroeder
    2 days ago






  • 2





    As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?

    – emory
    2 days ago






  • 7





    @emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.

    – schroeder
    2 days ago






  • 2





    @emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.

    – Islay
    2 days ago






  • 1





    I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.

    – Bakuriu
    yesterday


















5














One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.



Take the homepage of the site, and add /.well-known/change-password to the end. Examples:



accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password

github.com/.well-known/change-password
-> https://github.com/settings/admin

twitter.com/.well-known/change-password
-> https://twitter.com/settings/password

meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account





share|improve this answer























  • I had never heard of those. Is it trying to append itself to this list?

    – Michael
    2 hours ago


















4














One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.



This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.



Obviously, this only works if you use the browser's "save password" feature.






share|improve this answer










New contributor




Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2





    So, in other words, look in your password manager. And sometimes, your password manager is your browser.

    – schroeder
    2 days ago






  • 6





    True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on

    – Jacob
    2 days ago






  • 1





    I would say "almost allways, your browser is your password manager."

    – ThoriumBR
    2 days ago


















2














It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.



And only you know where you might have accounts.



For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.



But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.



If you think you might have used a site in the past, why not just try your old credential?



Why not just spam every website with password reset requests?



They're not going to cooperate with large scale automated requests of this type.



First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.



Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.



Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.






share|improve this answer























  • Lol...You made me google Furries and Ashley Madison...

    – Aganju
    2 days ago












  • The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.

    – Islay
    yesterday



















-1














You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.



In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.






share|improve this answer








New contributor




bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • One may not have the old password(s) anymore to load into LastPass.

    – Islay
    2 days ago











  • Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)

    – Lichtbringer
    2 days ago











  • This is all covered in another answer (along with the weaknesses)

    – schroeder
    yesterday











  • Do not use proprietary, nonfree, closed-source password managers.

    – Spenser Truex
    22 mins ago











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206218%2fhow-do-i-reset-passwords-on-multiple-websites-easily%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























6 Answers
6






active

oldest

votes








6 Answers
6






active

oldest

votes









active

oldest

votes






active

oldest

votes









34














No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.



Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.






share|improve this answer


















  • 7





    I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).

    – BlueCacti
    yesterday











  • @BlueCacti: Definitely. That's my current setup since the past few years already.

    – Islay
    yesterday











  • And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.

    – Joel Coehoorn
    14 hours ago
















34














No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.



Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.






share|improve this answer


















  • 7





    I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).

    – BlueCacti
    yesterday











  • @BlueCacti: Definitely. That's my current setup since the past few years already.

    – Islay
    yesterday











  • And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.

    – Joel Coehoorn
    14 hours ago














34












34








34







No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.



Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.






share|improve this answer













No, not really - they all have different processes for verifying your identity for password reset requests, and there isn't any standard for bulk password resets. For example, Apple may use a device which is registered to the account as a confirmation that it's you sending the request, while Facebook uses different schemes depending on whether you're changing your password from a device where you've previously logged in, or from a completely unrelated one.



Easiest way is probably to go through common websites (e.g. work through a list like https://en.wikipedia.org/wiki/List_of_most_popular_websites, ignoring any which you are sure don't apply) providing the email address you want to reset, and watching for reset emails. It's not perfect, but if you're changing the ones you know are sensitive (e.g. ones which have credit card details associated, or email accounts, or government systems), that's ok - you know that those accounts will have unique passwords, even if an attacker may be able to log into your abandoned MySpace (or other defunct social network) account with an old password.







share|improve this answer












share|improve this answer



share|improve this answer










answered 2 days ago









MatthewMatthew

25k78091




25k78091







  • 7





    I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).

    – BlueCacti
    yesterday











  • @BlueCacti: Definitely. That's my current setup since the past few years already.

    – Islay
    yesterday











  • And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.

    – Joel Coehoorn
    14 hours ago













  • 7





    I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).

    – BlueCacti
    yesterday











  • @BlueCacti: Definitely. That's my current setup since the past few years already.

    – Islay
    yesterday











  • And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.

    – Joel Coehoorn
    14 hours ago








7




7





I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).

– BlueCacti
yesterday





I'd add to this that while you're in the process of doing this, I would invest a bit more time into adding these sites to a password manager (e.g. LastPass, 1Password, KeePass, Bitwarden, ...). This allows you to keep track of the accounts you have, allows you to use unique passwords for each site (which will prevent a password leaked on site A being used to login on site B) and some even monitor your account's appearance in the HIBP database).

– BlueCacti
yesterday













@BlueCacti: Definitely. That's my current setup since the past few years already.

– Islay
yesterday





@BlueCacti: Definitely. That's my current setup since the past few years already.

– Islay
yesterday













And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.

– Joel Coehoorn
14 hours ago






And this is one more reason why using a password manager is good practice. You "change" the password on those sites by letting the manager give them a unique password in the first place. Then, the breach comes (and it will come; it comes for all of us eventually) and most of the work is already done. You only need to change the failed site, because the others already used a unique password. Even better, close the account at the site that failed if you can.

– Joel Coehoorn
14 hours ago














44














This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.



For example: https://helpdesk.lastpass.com/generating-a-password/




Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.




In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).






share|improve this answer


















  • 3





    @emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.

    – schroeder
    2 days ago






  • 2





    As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?

    – emory
    2 days ago






  • 7





    @emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.

    – schroeder
    2 days ago






  • 2





    @emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.

    – Islay
    2 days ago






  • 1





    I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.

    – Bakuriu
    yesterday















44














This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.



For example: https://helpdesk.lastpass.com/generating-a-password/




Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.




In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).






share|improve this answer


















  • 3





    @emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.

    – schroeder
    2 days ago






  • 2





    As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?

    – emory
    2 days ago






  • 7





    @emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.

    – schroeder
    2 days ago






  • 2





    @emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.

    – Islay
    2 days ago






  • 1





    I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.

    – Bakuriu
    yesterday













44












44








44







This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.



For example: https://helpdesk.lastpass.com/generating-a-password/




Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.




In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).






share|improve this answer













This is a known problem without an existing solution. Some password management tools are working on it, but it is not complete or fool-proof.



For example: https://helpdesk.lastpass.com/generating-a-password/




Auto-Password Change will change a site’s password with a
single-click. This feature currently supports 75 of the most popular
websites. You can see the full list of supported websites below.




In general, though, when you use a password manager for all your accounts, 90% of the work you need to do is already done. You know which sites use that username/email, and you can avoid re-using passwords in the first place (or know which accounts use a shared password).







share|improve this answer












share|improve this answer



share|improve this answer










answered 2 days ago









schroederschroeder

78.5k30174210




78.5k30174210







  • 3





    @emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.

    – schroeder
    2 days ago






  • 2





    As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?

    – emory
    2 days ago






  • 7





    @emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.

    – schroeder
    2 days ago






  • 2





    @emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.

    – Islay
    2 days ago






  • 1





    I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.

    – Bakuriu
    yesterday












  • 3





    @emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.

    – schroeder
    2 days ago






  • 2





    As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?

    – emory
    2 days ago






  • 7





    @emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.

    – schroeder
    2 days ago






  • 2





    @emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.

    – Islay
    2 days ago






  • 1





    I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.

    – Bakuriu
    yesterday







3




3





@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.

– schroeder
2 days ago





@emory I'm not sure that is true. An authenticated process would not expose a DoS threat to the process.

– schroeder
2 days ago




2




2





As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?

– emory
2 days ago





As I understand it, OP wants to send a message to a bunch of sites - facebook, google, spotify, netflex, etc - saying "hey, I am pretty sure I have an account with you guys and my username is op@somedomain.com. This account has been compromised. Please lock me out." Why couldn't I do the same with all the email addresses that I know @schroeder to use?

– emory
2 days ago




7




7





@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.

– schroeder
2 days ago





@emory .... because that would be silly. And no one is talking about that. And that has nothing to do with anything I said or what the OP said.

– schroeder
2 days ago




2




2





@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.

– Islay
2 days ago





@emory I still have access to the old email account, so schroeder's idea of an authenticated process to trigger the requests seems to mitigate the issue IMO.

– Islay
2 days ago




1




1





I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.

– Bakuriu
yesterday





I wonder if anyone attempted to use AI to solve this problem: teach a program how reset processes look like, where to find them looking at a webpage and how to submit the username/email to reset. If we are lucky this might work for a majority of websites and not an hardcoded list of less than 100.

– Bakuriu
yesterday











5














One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.



Take the homepage of the site, and add /.well-known/change-password to the end. Examples:



accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password

github.com/.well-known/change-password
-> https://github.com/settings/admin

twitter.com/.well-known/change-password
-> https://twitter.com/settings/password

meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account





share|improve this answer























  • I had never heard of those. Is it trying to append itself to this list?

    – Michael
    2 hours ago















5














One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.



Take the homepage of the site, and add /.well-known/change-password to the end. Examples:



accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password

github.com/.well-known/change-password
-> https://github.com/settings/admin

twitter.com/.well-known/change-password
-> https://twitter.com/settings/password

meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account





share|improve this answer























  • I had never heard of those. Is it trying to append itself to this list?

    – Michael
    2 hours ago













5












5








5







One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.



Take the homepage of the site, and add /.well-known/change-password to the end. Examples:



accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password

github.com/.well-known/change-password
-> https://github.com/settings/admin

twitter.com/.well-known/change-password
-> https://twitter.com/settings/password

meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account





share|improve this answer













One tip to help you out on your journey is that multiple sites have recently implemented the "well-known password change URL". This is something you can plug in to any (supporting) website that redirects to the page that lets you change your password.



Take the homepage of the site, and add /.well-known/change-password to the end. Examples:



accounts.google.com/.well-known/change-password
-> https://myaccount.google.com/signinoptions/password

github.com/.well-known/change-password
-> https://github.com/settings/admin

twitter.com/.well-known/change-password
-> https://twitter.com/settings/password

meta.discourse.org/.well-known/change-password
-> https://meta.discourse.org/my/preferences/account






share|improve this answer












share|improve this answer



share|improve this answer










answered 22 hours ago









RikingRiking

23418




23418












  • I had never heard of those. Is it trying to append itself to this list?

    – Michael
    2 hours ago

















  • I had never heard of those. Is it trying to append itself to this list?

    – Michael
    2 hours ago
















I had never heard of those. Is it trying to append itself to this list?

– Michael
2 hours ago





I had never heard of those. Is it trying to append itself to this list?

– Michael
2 hours ago











4














One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.



This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.



Obviously, this only works if you use the browser's "save password" feature.






share|improve this answer










New contributor




Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2





    So, in other words, look in your password manager. And sometimes, your password manager is your browser.

    – schroeder
    2 days ago






  • 6





    True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on

    – Jacob
    2 days ago






  • 1





    I would say "almost allways, your browser is your password manager."

    – ThoriumBR
    2 days ago















4














One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.



This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.



Obviously, this only works if you use the browser's "save password" feature.






share|improve this answer










New contributor




Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2





    So, in other words, look in your password manager. And sometimes, your password manager is your browser.

    – schroeder
    2 days ago






  • 6





    True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on

    – Jacob
    2 days ago






  • 1





    I would say "almost allways, your browser is your password manager."

    – ThoriumBR
    2 days ago













4












4








4







One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.



This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.



Obviously, this only works if you use the browser's "save password" feature.






share|improve this answer










New contributor




Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










One alternative solution to identify sites that you used your email address on is to look into your browser's saved passwords.



This will allow you to see every site you have saved passwords for in your browser which might help you identify ones that need to be changed.



Obviously, this only works if you use the browser's "save password" feature.







share|improve this answer










New contributor




Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this answer



share|improve this answer








edited 2 days ago









schroeder

78.5k30174210




78.5k30174210






New contributor




Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









answered 2 days ago









JacobJacob

411




411




New contributor




Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Jacob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 2





    So, in other words, look in your password manager. And sometimes, your password manager is your browser.

    – schroeder
    2 days ago






  • 6





    True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on

    – Jacob
    2 days ago






  • 1





    I would say "almost allways, your browser is your password manager."

    – ThoriumBR
    2 days ago












  • 2





    So, in other words, look in your password manager. And sometimes, your password manager is your browser.

    – schroeder
    2 days ago






  • 6





    True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on

    – Jacob
    2 days ago






  • 1





    I would say "almost allways, your browser is your password manager."

    – ThoriumBR
    2 days ago







2




2





So, in other words, look in your password manager. And sometimes, your password manager is your browser.

– schroeder
2 days ago





So, in other words, look in your password manager. And sometimes, your password manager is your browser.

– schroeder
2 days ago




6




6





True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on

– Jacob
2 days ago





True, although I think most people would not consider their browser a true "password manager". This is just another suggestion that could be easy to overlook for others who are trying to find websites they forgot they registered on

– Jacob
2 days ago




1




1





I would say "almost allways, your browser is your password manager."

– ThoriumBR
2 days ago





I would say "almost allways, your browser is your password manager."

– ThoriumBR
2 days ago











2














It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.



And only you know where you might have accounts.



For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.



But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.



If you think you might have used a site in the past, why not just try your old credential?



Why not just spam every website with password reset requests?



They're not going to cooperate with large scale automated requests of this type.



First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.



Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.



Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.






share|improve this answer























  • Lol...You made me google Furries and Ashley Madison...

    – Aganju
    2 days ago












  • The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.

    – Islay
    yesterday
















2














It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.



And only you know where you might have accounts.



For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.



But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.



If you think you might have used a site in the past, why not just try your old credential?



Why not just spam every website with password reset requests?



They're not going to cooperate with large scale automated requests of this type.



First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.



Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.



Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.






share|improve this answer























  • Lol...You made me google Furries and Ashley Madison...

    – Aganju
    2 days ago












  • The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.

    – Islay
    yesterday














2












2








2







It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.



And only you know where you might have accounts.



For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.



But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.



If you think you might have used a site in the past, why not just try your old credential?



Why not just spam every website with password reset requests?



They're not going to cooperate with large scale automated requests of this type.



First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.



Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.



Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.






share|improve this answer













It's a hard problem because the top list of websites is so personal... And what you have to lose is in no way proportional to the site's popularity on any index of popular sites.



And only you know where you might have accounts.



For instance, I consider gaming sites to be more critical than banking sites. Because there are much fewer controls and less legal peril involved in hacking MMO gaming accounts, so they are the darlings of crackers. On the other hand, if you're done with Maplestory, you may not care.



But you certainly don't need to care about your Eve Online account if you definitely never played it. Only you know this sort of thing.



If you think you might have used a site in the past, why not just try your old credential?



Why not just spam every website with password reset requests?



They're not going to cooperate with large scale automated requests of this type.



First, the website acknowledging whether an email has an account, would empower spear phishing. Scammer gets a billion emails (easy enough), they start banging the website's password reset to learn "does this email have an account here, or not?" Now they have a list of 1 million emails that do. Now they start spear-phishing those known account holders. Put them on a daily newsletter where unsubscribe requires a login, that kind of thing. This is a "many email addresses against a single site" attack. The site's best defense is to add friction to the password reset process, e.g. a CAPTCHA, or simply design the password-reset process so it tells the inquirer nothing about whether an account exists. This is even more important for sites like Ashley Madison or Furries where having an account there could be embarrassing.



Second, if a cracker managed to gain control of an email, they could simply do exactly what you're trying to do - ascertain which websites this email has an account on. With a full dossier, they can then attack those sites or simply sell the credentials for more than they could otherwise. This is a "single email vs many sites" attack. In this case, the site needs to control one-off access to the password reset function - something like a CAPTCHA is called for. And 2-factor authentication - but again, this 2FA must not disclose to the casual inquirer whether an account here exists.



Because of this, I don't see a probability of anyone writing an app to do this. The writer would find herself in a hacking "arms race" with many companies trying to stop her automation from working.







share|improve this answer












share|improve this answer



share|improve this answer










answered 2 days ago









HarperHarper

2,030413




2,030413












  • Lol...You made me google Furries and Ashley Madison...

    – Aganju
    2 days ago












  • The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.

    – Islay
    yesterday


















  • Lol...You made me google Furries and Ashley Madison...

    – Aganju
    2 days ago












  • The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.

    – Islay
    yesterday

















Lol...You made me google Furries and Ashley Madison...

– Aganju
2 days ago






Lol...You made me google Furries and Ashley Madison...

– Aganju
2 days ago














The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.

– Islay
yesterday






The spear phishing/email enumeration isn't an issue if the mass password reset process itself requires email verification. However, good point re if a cracker managed to gain control of an email.... But then, in the case of a determined attacker, whether the manual nature of the process is enough of a deterrent - compared to the convenience afforded by its automation to genuine users - is debatable.

– Islay
yesterday












-1














You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.



In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.






share|improve this answer








New contributor




bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • One may not have the old password(s) anymore to load into LastPass.

    – Islay
    2 days ago











  • Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)

    – Lichtbringer
    2 days ago











  • This is all covered in another answer (along with the weaknesses)

    – schroeder
    yesterday











  • Do not use proprietary, nonfree, closed-source password managers.

    – Spenser Truex
    22 mins ago















-1














You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.



In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.






share|improve this answer








New contributor




bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • One may not have the old password(s) anymore to load into LastPass.

    – Islay
    2 days ago











  • Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)

    – Lichtbringer
    2 days ago











  • This is all covered in another answer (along with the weaknesses)

    – schroeder
    yesterday











  • Do not use proprietary, nonfree, closed-source password managers.

    – Spenser Truex
    22 mins ago













-1












-1








-1







You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.



In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.






share|improve this answer








New contributor




bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










You can absolutely reset passwords automatically if your password manager supports it (I use LastPass) -- even retroactively. You don't have to have created the site using LastPass in order for it to be able to reset your passwords for you. You simply have to load the credentials into it and ask it to perform the password reset function.



In LastPass, simply allow LastPass to remember your credentials for the site (typically by logging in), and then on the Edit Site window of your vault, simply select Auto Change Password below the password field.







share|improve this answer








New contributor




bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this answer



share|improve this answer






New contributor




bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









answered 2 days ago









bvoyelrbvoyelr

107




107




New contributor




bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






bvoyelr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • One may not have the old password(s) anymore to load into LastPass.

    – Islay
    2 days ago











  • Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)

    – Lichtbringer
    2 days ago











  • This is all covered in another answer (along with the weaknesses)

    – schroeder
    yesterday











  • Do not use proprietary, nonfree, closed-source password managers.

    – Spenser Truex
    22 mins ago

















  • One may not have the old password(s) anymore to load into LastPass.

    – Islay
    2 days ago











  • Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)

    – Lichtbringer
    2 days ago











  • This is all covered in another answer (along with the weaknesses)

    – schroeder
    yesterday











  • Do not use proprietary, nonfree, closed-source password managers.

    – Spenser Truex
    22 mins ago
















One may not have the old password(s) anymore to load into LastPass.

– Islay
2 days ago





One may not have the old password(s) anymore to load into LastPass.

– Islay
2 days ago













Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)

– Lichtbringer
2 days ago





Lastpasses feature also only works on some of the biggest sites, and even then not reliably. (facebook, battle.net....)

– Lichtbringer
2 days ago













This is all covered in another answer (along with the weaknesses)

– schroeder
yesterday





This is all covered in another answer (along with the weaknesses)

– schroeder
yesterday













Do not use proprietary, nonfree, closed-source password managers.

– Spenser Truex
22 mins ago





Do not use proprietary, nonfree, closed-source password managers.

– Spenser Truex
22 mins ago

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206218%2fhow-do-i-reset-passwords-on-multiple-websites-easily%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Францішак Багушэвіч Змест Сям'я | Біяграфія | Творчасць | Мова Багушэвіча | Ацэнкі дзейнасці | Цікавыя факты | Спадчына | Выбраная бібліяграфія | Ушанаванне памяці | У філатэліі | Зноскі | Літаратура | Спасылкі | НавігацыяЛяхоўскі У. Рупіўся дзеля Бога і людзей: Жыццёвы шлях Лявона Вітан-Дубейкаўскага // Вольскі і Памідораў з песняй пра немца Адвакат, паэт, народны заступнік Ашмянскі веснікВ Минске появится площадь Богушевича и улица Сырокомли, Белорусская деловая газета, 19 июля 2001 г.Айцец беларускай нацыянальнай ідэі паўстаў у бронзе Сяргей Аляксандравіч Адашкевіч (1918, Мінск). 80-я гады. Бюст «Францішак Багушэвіч».Яўген Мікалаевіч Ціхановіч. «Партрэт Францішка Багушэвіча»Мікола Мікалаевіч Купава. «Партрэт зачынальніка новай беларускай літаратуры Францішка Багушэвіча»Уладзімір Іванавіч Мелехаў. На помніку «Змагарам за родную мову» Барэльеф «Францішак Багушэвіч»Памяць пра Багушэвіча на Віленшчыне Страчаная сталіца. Беларускія шыльды на вуліцах Вільні«Krynica». Ideologia i przywódcy białoruskiego katolicyzmuФранцішак БагушэвічТворы на knihi.comТворы Францішка Багушэвіча на bellib.byСодаль Уладзімір. Францішак Багушэвіч на Лідчыне;Луцкевіч Антон. Жыцьцё і творчасьць Фр. Багушэвіча ў успамінах ягоных сучасьнікаў // Запісы Беларускага Навуковага таварыства. Вільня, 1938. Сшытак 1. С. 16-34.Большая российская1188761710000 0000 5537 633Xn9209310021619551927869394п

Беларусь Змест Назва Гісторыя Геаграфія Сімволіка Дзяржаўны лад Палітычныя партыі Міжнароднае становішча і знешняя палітыка Адміністрацыйны падзел Насельніцтва Эканоміка Культура і грамадства Сацыяльная сфера Узброеныя сілы Заўвагі Літаратура Спасылкі НавігацыяHGЯOiТоп-2011 г. (па версіі ej.by)Топ-2013 г. (па версіі ej.by)Топ-2016 г. (па версіі ej.by)Топ-2017 г. (па версіі ej.by)Нацыянальны статыстычны камітэт Рэспублікі БеларусьШчыльнасць насельніцтва па краінахhttp://naviny.by/rubrics/society/2011/09/16/ic_articles_116_175144/А. Калечыц, У. Ксяндзоў. Спробы засялення краю неандэртальскім чалавекам.І ў Менску былі мамантыА. Калечыц, У. Ксяндзоў. Старажытны каменны век (палеаліт). Першапачатковае засяленне тэрыторыіГ. Штыхаў. Балты і славяне ў VI—VIII стст.М. Клімаў. Полацкае княства ў IX—XI стст.Г. Штыхаў, В. Ляўко. Палітычная гісторыя Полацкай зямліГ. Штыхаў. Дзяржаўны лад у землях-княствахГ. Штыхаў. Дзяржаўны лад у землях-княствахБеларускія землі ў складзе Вялікага Княства ЛітоўскагаЛюблінская унія 1569 г."The Early Stages of Independence"Zapomniane prawdy25 гадоў таму было аб'яўлена, што Язэп Пілсудскі — беларус (фота)Наша вадаДакументы ЧАЭС: Забруджванне тэрыторыі Беларусі « ЧАЭС Зона адчужэнняСведения о политических партиях, зарегистрированных в Республике Беларусь // Министерство юстиции Республики БеларусьСтатыстычны бюлетэнь „Полаўзроставая структура насельніцтва Рэспублікі Беларусь на 1 студзеня 2012 года і сярэднегадовая колькасць насельніцтва за 2011 год“Индекс человеческого развития Беларуси — не было бы нижеБеларусь занимает первое место в СНГ по индексу развития с учетом гендерного факцёраНацыянальны статыстычны камітэт Рэспублікі БеларусьКанстытуцыя РБ. Артыкул 17Трансфармацыйныя задачы БеларусіВыйсце з крызісу — далейшае рэфармаванне Беларускі рубель — сусветны лідар па дэвальвацыяхПра змену коштаў у кастрычніку 2011 г.Бядней за беларусаў у СНД толькі таджыкіСярэдні заробак у верасні дасягнуў 2,26 мільёна рублёўЭканомікаГаласуем за ТОП-100 беларускай прозыСучасныя беларускія мастакіАрхитектура Беларуси BELARUS.BYА. Каханоўскі. Культура Беларусі ўсярэдзіне XVII—XVIII ст.Анталогія беларускай народнай песні, гуказапісы спеваўБеларускія Музычныя IнструментыБеларускі рок, які мы страцілі. Топ-10 гуртоў«Мясцовы час» — нязгаслая легенда беларускай рок-музыкіСЯРГЕЙ БУДКІН. МЫ НЯ ЗНАЕМ СВАЁЙ МУЗЫКІМ. А. Каладзінскі. НАРОДНЫ ТЭАТРМагнацкія культурныя цэнтрыПублічная дыскусія «Беларуская новая пьеса: без беларускай мовы ці беларуская?»Беларускія драматургі па-ранейшаму лепш ставяцца за мяжой, чым на радзіме«Працэс незалежнага кіно пайшоў, і дзяржаву турбуе яго непадкантрольнасць»Беларускія філосафы ў пошуках прасторыВсе идём в библиотекуАрхіваванаАб Нацыянальнай праграме даследавання і выкарыстання касмічнай прасторы ў мірных мэтах на 2008—2012 гадыУ космас — разам.У суседнім з Барысаўскім раёне пабудуюць Камандна-вымяральны пунктСвяты і абрады беларусаў«Мірныя бульбашы з малой краіны» — 5 непраўдзівых стэрэатыпаў пра БеларусьМ. Раманюк. Беларускае народнае адзеннеУ Беларусі скарачаецца колькасць злачынстваўЛукашэнка незадаволены мінскімі ўладамі Крадзяжы складаюць у Мінску каля 70% злачынстваў Узровень злачыннасці ў Мінскай вобласці — адзін з самых высокіх у краіне Генпракуратура аналізуе стан са злачыннасцю ў Беларусі па каэфіцыенце злачыннасці У Беларусі стабілізавалася крымінагеннае становішча, лічыць генпракурорЗамежнікі сталі здзяйсняць у Беларусі больш злачынстваўМУС Беларусі турбуе рост рэцыдыўнай злачыннасціЯ з ЖЭСа. Дазволіце вас абкрасці! Рэйтынг усіх службаў і падраздзяленняў ГУУС Мінгарвыканкама вырасАб КДБ РБГісторыя Аператыўна-аналітычнага цэнтра РБГісторыя ДКФРТаможняagentura.ruБеларусьBelarus.by — Афіцыйны сайт Рэспублікі БеларусьСайт урада БеларусіRadzima.org — Збор архітэктурных помнікаў, гісторыя Беларусі«Глобус Беларуси»Гербы и флаги БеларусиАсаблівасці каменнага веку на БеларусіА. Калечыц, У. Ксяндзоў. Старажытны каменны век (палеаліт). Першапачатковае засяленне тэрыторыіУ. Ксяндзоў. Сярэдні каменны век (мезаліт). Засяленне краю плямёнамі паляўнічых, рыбакоў і збіральнікаўА. Калечыц, М. Чарняўскі. Плямёны на тэрыторыі Беларусі ў новым каменным веку (неаліце)А. Калечыц, У. Ксяндзоў, М. Чарняўскі. Гаспадарчыя заняткі ў каменным векуЭ. Зайкоўскі. Духоўная культура ў каменным векуАсаблівасці бронзавага веку на БеларусіФарміраванне супольнасцей ранняга перыяду бронзавага векуФотографии БеларусиРоля беларускіх зямель ва ўтварэнні і ўмацаванні ВКЛВ. Фадзеева. З гісторыі развіцця беларускай народнай вышыўкіDMOZGran catalanaБольшая российскаяBritannica (анлайн)Швейцарскі гістарычны15325917611952699xDA123282154079143-90000 0001 2171 2080n9112870100577502ge128882171858027501086026362074122714179пппппп

ValueError: Expected n_neighbors <= n_samples, but n_samples = 1, n_neighbors = 6 (SMOTE) The 2019 Stack Overflow Developer Survey Results Are InCan SMOTE be applied over sequence of words (sentences)?ValueError when doing validation with random forestsSMOTE and multi class oversamplingLogic behind SMOTE-NC?ValueError: Error when checking target: expected dense_1 to have shape (7,) but got array with shape (1,)SmoteBoost: Should SMOTE be ran individually for each iteration/tree in the boosting?solving multi-class imbalance classification using smote and OSSUsing SMOTE for Synthetic Data generation to improve performance on unbalanced dataproblem of entry format for a simple model in KerasSVM SMOTE fit_resample() function runs forever with no result