I’m done changing my passwords

Screw it

Justin Ruckman
3 min readMay 21, 2014


I just saw the news about eBay’s user data being hacked, adding yet another to a long list of similar events. The warning issued is the same as always:

“Change your passwords!”

Nope, not gonna do it.

First of all, it shouldn’t be my responsibility to clean up after a website’s mess. If a site gets hacked, and they think it’s critical that passwords be reset, then just reset them. Make me verify my identity and set a new password next time I login, quick and easy.

And secondly, if I actually changed my passwords every time a new site gets hacked, I’d be doing it every day. And even then it would just be in response to the incidents that companies a) are actually aware of, and b) find it prudent to inform us about.

Can we just accept it as a constant that at any given time at least one nefarious party has access to an assortment of our passwords and personal information? It’s like coming to terms with the fact roughly 2% of you is totally made up of germs and bacteria.

Not easily guessed? For a person? Or a botnet guessing a trillion passwords per second?

And the most frustrating part: I can only devise so many weird combinations of letters and numbers and capital letters and special characters but only characters like .!@% or # and definitely not anything crazy like <*&? or } and don’t even think about using any combination of characters from your last 10 passwords, and nothing too obvious either, and make sure it’s at least 8 characters, but whoa nothing over 20 characters, actually make that 12 characters this time, oh and no spaces, and make sure it starts with a letter, no a capital letter, wait make sure it’s not a q or a z, and actually, is your caps lock on, and would you mind deciphering these garbled letters to prove you’re a human, and can you confirm your zip code or the last four digits of your SSN, and would you like to participate in a brief customer survey …

Nope, I’m done. For every critical online service I actually care about that houses my most sensitive information, I’ve enabled two-factor authentication. That beautiful phrase means I can set passwords I have a fair shot of actually remembering, and then before any of those passwords are accepted, I just have to prove I’m in physical possession of my phone. That’s good enough for me.

And for the rest that don’t have two-factor, or that I simply don’t store much sensitive data with, like eBay: let’s be real, what’s the worst that can happen?

Someone could discover my email address and phone number? Ha! Are you from the past? That cat is out of the bag.

Someone could grab my credit card information? Not too big a deal. I review my statements regularly, and my bank and credit card offer 100% protection from fraudulent activity.

Someone could buy stuff on my account? OK, and then I’ll get emails, push alerts, etc. letting me know. And if the provider is worth having an account with anyway, they’ll probably issue a refund.

The point is, this is ridiculous and I’m standing my ground. It won’t be long until passwords are obsolete, replaced by fingerprint-reading, voice-recognizing, eye-scanning AI or some-such.

In the meantime, I’ve done all I’m willing to do, all that any sane, rational person can actually do in light of the overwhelming odds against them. Use two-factor where you can, and for the rest … screw it.



Justin Ruckman