On Sunday (Dec 22nd), I was visiting MyIndihome website to check my household’s internet usage when suddenly Google Chrome prompted this:
Upon clicking the [Check Password] button, Chrome shown me how many websites which my password could be breached.
Since I stored my password in Chrome, it actually knows the passwords that I’m using on many sites. I speculates that Google is utilizing Troy Hunt’s Have I been pawned? API to check if a password has been breached.
So I spent the whole Sunday resetting my password on some websites that I deemed important. Websites that didn’t store my personal information or have no financial risks were excluded from this password reset exercise. Online shops and online hotel/flight booking websites were the first websites that have their password reset. I simply don’t want to have fraudulent purchases/orders billed to my bank account.
My habit of using the same password is partly why I wasted my Sunday. You see, I have 3 passwords. The least complicated one is for websites which have no financial risks like forums and free/trial online services. The slightly complicated password is for websites which stores my credit card/bank account information like online shops and travel/hotel booking sites. The most complicated one is for my google/facebook accounts which basically controls all my other accounts.
After resetting passwords in many websites, I found a few websites which have the worst User Interface to reset password. Let’s learn from their mistake and not to repeat it in our future projects.
Alphanumeric only password
We’re not in the 90’s anymore. We shouldn’t limit the password to alphanumeric only because it will be easier to brute-force.
Missing input fields
MyIndihome expect you to enter the Two Factor Authentication (2FA) token, but the input field is missing. Hence, resetting password becomes impossible. Excellent job! 😀
Hide the reset password function in a non-standard place
When I clicked my username in Qoo10 website, I expected to find the reset password there. But apparently reset password function is hidden inside My Qoo10 -> My Inquiry -> Personal Info.