Clean Up Your Digital Footprint

Part 5 of the Exit Strategy Series

Nov 02, 2024

Like Dave Grohl, I’ve got another confession to make. I try to maintain pretty decent... or at least serviceable... operational security. I try to no reuse passwords anymore, and I try to make sure I enable MFA whenever possible. I tried to avoid signing up for too many online accounts or services. However, I wasn't always like that and over the years I have certainly left my mark on the internet landscape.

From the early 2000s (circa 1999-2000) up until about 2016, I was pretty active in exploring all sorts of new sites, platforms, and services. Most of these accounts did not get used very often and we quickly abandoned. That, in and of itself, is not necessarily a problem. The problem was that many of those accounts were never properly closed and discarded. I just left them alone and mostly forgot about them. Couple that with the fact that most of them pre-dated my use of a password manager, thus I tended to use a single password that I could easily remember. It was not a super simple password to guess, and it had nothing to do with anything in my personal life that you could easily find online. However, it was not a very complex one either.

Grabbing my Attention

When I heard the news about the Internet Archive going down and losing user information, I figured it was worth checking into that particular account. With the service still down, and later restored to a read only state, I was not able to login in. I did, however, find an old password file from in old off-line computer — yeah, I know… You don’t have to say it… — and found the account credentials on there. Sure enough that account was created with that old shared password….

Well, this is problematic. I guess it’s finally time to sit down and do the work of cleaning up my digital footprint; something we all need to be doing.

Compile a List of Online Accounts

To start off, I sat down and made a list of every online account I could think of from the last 25ish years. Most of the oldest ones were already deleted by the sites themselves after years of inactivity and others disappeared as the sites were shut down — looking at you Sony Station forums. However, there were quite a few that were still up and running. Some of them weren’t accessible because they used old email accounts that I closed over a decade ago, but others were still sitting there waiting for me to come sign back in. There was even an old Verizon business account from my old job that was never deactivated so I had to shoot my old boss a text to get that sorted out.

Document Usernames and Passwords

Now not all of these active sites used the same password. Some did, but not all. Most of the newer ones — from the last 5 years or so — or the older ones I had continued using had already had the password changed to something more complex. However, regardless of password complexity or age of the accounts, I made sure to note the login credentials and to note whether MFA had been enabled and in what form if it was.

As mentioned earlier, I used to just keep all of this stored in a spreadsheet on my local hard drive, but that’s kind of dumb. I’d rather write it down in a physical notebook and store it in my safe, but that’s less practical. So this time around, I decided to just input everything into my password manager.

Get a Password Manager

Password managers really are one of those things that you should be using in 2024 and beyond if you aren’t already. The way they work is pretty straightforward:

Download the mobile app, desktop app (if they have one), or install the browser extension for your preferred password manger
Create an account or sign in to your account
Manually add websites and login credentials, or automatically create entries when you sign in on the website
These entries get stored in your encrypted vault requiring authentication to access
Moving forward, the major password managers will ask to autofill your logins when you go to sign into that particular website

Furthermore, as the tech industry pushes more and more for a password-less future, it’s seeming like Passkeys are the future. While I’m no expert on how they work, I do know that they are intended to work with a single device, which means you would need separate passkeys for every device you use — including ones you don’t own — for each account. It’s for this reason I’m hesitant when it comes to setting up passkeys for my accounts (and it’s entirely possible I’m just dumb and don’t understand how it works) but saving your passkeys to a password manager does help to make them more portable.

What I Use

Now, obviously, do your research and use what will work best for you. For me, I tend to use two different options.

I used to use LastPass until about 3 or 4 years ago. It was around that time that they nerfed their free tier in a way that killed the user experience, so I moved over to Bitwarden. It wasn’t perfect at the time, and lacked some basic functions that LastPass had. The big one was the autofill prompt. At that time, and for several years after, you’d have to either click on the browser extension icon, then select the credentials you wanted to use, or do the same thing from the right-click context menu. It wasn't ideal but it worked well enough, and thankfully that feature has since been added and it’s now a phenomenal user experience. Also, Bitwarden includes a family plan for pretty cheap — $40 per year ($3.33 monthly, billed annually) at the time of this writing — which allows you to setup a family of up to 6 premium accounts. I haven’t signed my family up for this, but it is on my to-do list.

The other password manager I use is Apple’s new Passwords app. It’s basically an expanded version of their old Passwords utility that was in System Preferences and Settings, but it’s got some newer features that help bring it up to speed with other apps like Bitwarden. The only real downside to it, from what I can see, is that it’s part of the ecosystem™. Sure, there’s a plugin for Windows. It allows you to access your Keychain passwords on a Windows system, but if I’m completely honest with you, it’s pretty janky. I can only imagine how lousy the experience would probably be trying to use that on Linux running through Wine!

Mac Passwords app with buttons on left, app list in center and passwords for Degoo Cloud on right. — Image credit: The Verge

So why do I use it? Well, I like it within the ecosystem™. It’s great and more convenient on my Mac, iPhone, iPad, or when sharing passwords with my wife who also uses an iPhone and iPad. However, being someone who uses multiple devices with multiple different operating systems — macOS, Windows, Linux, iOS, and occasionally Android — I want the reliability of Bitwarden. That means, I’ve got to maintain parity between the two which from what I can tell seems to only be a manual process. If that’s not something you’re up for, just pick one and stick with it.

Of course, that doesn’t mean those are the only password managers out there. Many people out there speak highly of things like KeyPass and 1Password, though I haven’t tried those myself. I was also kind of interested in Proton Pass since I am a Protonmail user, but opted to just stay on Bitwarden until they give me a reason to leave.

Go with whichever one tickles your fancy, but please — in the name of all things holy — don’t just use the built in “password manager” that comes in your browser. Chrome, Edge, Firefox, and most other web browsers out there today give you the option to store your login credentials for different websites. This is great for convenience, but I cannot tell you how many times I’ve scared people at work by pulling up all of their account usernames and passwords by just going into the Chrome or Firefox settings. These built-in solutions aren’t secure, nor were they really ever intended to be. Just get a real password manager and start using it!

Google Chrome: “Passwords” menu, “Saved Passwords” entry — Saved passwords in Chrome and Firefox can be viewed in plain text.

Close Unused and/or Unwanted Accounts

The next step I took was to go to those unused or abandoned accounts and try to sign in. If the account was still active and I didn't have a reason to keep it, I went through the steps to delete it. Overall, I think I deleted about 30 accounts or so. Frankly, it was a little scary how old some of them were… the internet really is forever…

Change Reused Passwords to Strong and Unique Ones

For the remaining accounts, I made a list of which accounts had shared passwords. One-by-one I logged into those accounts and reset the password to a strong and unique password. Apple’s offering has suggested complex passphrases for a long time now, so that’s nice. Likewise, Bitwarden can generate strong passwords with complexity options that will then automatically save to the entry for that site once applied. I did this for all remaining accounts to ensure that each account had it’s own unique and complex password, fully retiring my old go-to from back in the day.

Enable MFA Wherever Possible

The final step was to make sure multi-factor authentication (MFA) is setup. For a lot of people just starting out with it, MFA is a pain so they try to avoid it. Having made a point to commit to using MFA for the better part of a decade now I can honestly say it’s not that bad. It’s like anything else, the more you use it, the more you get used to it and the less intrusive it becomes.

Not all websites include MFA in their privacy and security settings — and shame on them at this point — so there’s not much that can be done beyond setting that strong password for those. For the rest, though, I enabled it and got it all squared away.

My preferred authenticator app is Authy, which is available for iOS and Android.

iki adımlı kimlik doğrulama authy hacklendi açıklama — Image credit: donanimhaber.com

It used to have a desktop app, but that has been deprecated. Of course, there are plenty of other popular choices like Google Authenticator and Microsoft Authenticator (now do you see why I like Authy?). Unfortunately, not all sites are created equal when it comes to MFA and limit you to using an SMS text message to your phone. Now obviously, if you have a flip phone, you’re stuck with SMS MFA codes, but if you’re part of the vast majority of people with a smartphone it’s always best to go with an actual authenticator.

Practice Digital Discernment

I want to be perfectly clear with you; this process took several hours over the course of multiple days as I had time, and it was incredibly tedious. It’s not really a fun thing to do, but that’s also just part of being a responsible internet user at this point. I would strongly encourage you to take some time and start getting intentional with your digital footprint.

Moving forward, I will certainly continue to be more discerning when it comes to signing up for new accounts. Do I really need this account? Will I actually use it, or be using it a few months from now? If the answer is no, maybe think twice about signing up. If it’s a site or service that I want to test out just for fun, or whatever the case may be, maybe I’ll set up a burner email account that is only used for testing out services under a pseudonym.

All in all, reducing your digital footprint is an net positive. It reduces your risk of exposure in future data breaches, and fixing your password hygiene will help keep you from being exploited when those breaches happen anyway. But ultimately the purpose here is to reduce our dependence on this digital way of life as part of our overall digital exit strategy. While there are so many more things to cover in that regard, this is probably one of the more pressing and pragmatic things that is truly within your power to control right now.