Is it important to frequently change passwords?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities

Is it important to frequently change passwords?

Postby sunnyday » Thu May 02, 2013 9:38 am

My work requires employees to change their passwords every six months. Is this good practice or overkill -- why or why not?

Thanks to password management software, I use very strong passwords and they are all very different. However, I've had many of my passwords for over a year so I'm wondering if I should change them.
sunnyday
 
Posts: 1583
Joined: Sat Jul 16, 2011 9:48 am

Re: Is it important to frequently change passwords?

Postby JamesSFO » Thu May 02, 2013 9:48 am

Without knowing your line of work, hard to say. Password change policies are a double-edged sword. They solve one type of problem and replace it with another: people tend to need to write the passwords down if they change too often.
User avatar
JamesSFO
 
Posts: 2013
Joined: Thu Apr 26, 2012 11:16 pm

Re: Is it important to frequently change passwords?

Postby auntie » Thu May 02, 2013 9:57 am

I have tried many times to get someone to explain why passwords should be changed. If there's a reason nobody's ever told me what it is.
High risk does not equal high reward. It equals high risk of no reward.
User avatar
auntie
 
Posts: 246
Joined: Mon Dec 08, 2008 1:49 pm

Re: Is it important to frequently change passwords?

Postby Epsilon Delta » Thu May 02, 2013 10:12 am

There are a few reasons to change passwords. Since you're using strong passwords and a password manager the most important reason is to keep up with improvements in software and hardware. This does not require frequent changes, every two to five years should be enough, or when you have notice that a technological leap has occurred.

Let's say I capture a copy of your password database. I can't break it with 2013 technology so I store it and set a note to self to retry later. Fast forward to 2023, and I now have ten years of technological improvements, Moore's law alone means it's easier to break by a factor of 30-100, never mind any improvements in the algorithms . You can't keep secrets from the future with math. If you never change your passwords your 2023 self will be in trouble.
User avatar
Epsilon Delta
 
Posts: 3354
Joined: Thu Apr 28, 2011 8:00 pm

Re: Is it important to frequently change passwords?

Postby soaring » Thu May 02, 2013 11:07 am

JamesSFO wrote:Without knowing your line of work, hard to say. Password change policies are a double-edged sword. They solve one type of problem and replace it with another: people tend to need to write the passwords down if they change too often.


:thumbsup

my bolded in your comment
Exactly! I tried to explain that to our IT dept, before I left, but to a deaf ear. The system issues a random NEW number every 90 days. Now we have nearly 1000 employees writing their password and "hiding" it.

The program should at least allow selection of individual password with established restrictions so it would be somewhat strong....then only about 500 would need to write it down.
Desiderata
User avatar
soaring
 
Posts: 1403
Joined: Sun Nov 18, 2007 10:09 am
Location: North Central Florida

Re: Is it important to frequently change passwords?

Postby sunnyday » Thu May 02, 2013 1:20 pm

Here's a good article that I found about it - http://lifehacker.com/5966214/how-often ... -passwords
sunnyday
 
Posts: 1583
Joined: Sat Jul 16, 2011 9:48 am

Re: Is it important to frequently change passwords?

Postby genjix » Thu May 02, 2013 1:49 pm

If you're in a public company you have to follow SOX compliance (sarbanes oxley). Same as if your company does anything with credit card information, they have to follow PCI compliance standards. Not only changing your password every 90 days, but never email password information or credit card info.
If you're not compliant, the company can be fined thousands and thousands of dollars per day until you are.
genjix
 
Posts: 153
Joined: Sat Mar 12, 2011 3:51 pm

Re: Is it important to frequently change passwords?

Postby winglessangel31 » Thu May 02, 2013 2:13 pm

First and foremost, it is of the highest importance that you use different passwords. I am myself at fault; for unimportant sites, I have a few go-to throwaway passwords. But for important sites like bank accounts and so on, different passwords will protect you way, way more than changing passwords frequently. Because if it so happens that one password is compromised, only one important account is compromised, not your entire online life.

As someone already said, changing passwords protects you when a "recent/old" copy of a password database (from your computer or from an online server) was stolen. If you can make it such that those passwords (hashed, salted, encrypted) are "expired" by the time the hackers get their breakthrough, you are safe. Imagine a number safe and everyday someone was trying different numbers to open it. If every so often you change the code, their past progress is for naught, because they can no longer rely on the fact that those no longer work. In the password scenario, this is entirely the wrong image and you should not think that they are the same, but the effect is similar.
winglessangel31
 
Posts: 210
Joined: Tue Feb 12, 2013 5:53 pm

Re: Is it important to frequently change passwords?

Postby winglessangel31 » Thu May 02, 2013 2:21 pm

soaring wrote:
JamesSFO wrote:Without knowing your line of work, hard to say. Password change policies are a double-edged sword. They solve one type of problem and replace it with another: people tend to need to write the passwords down if they change too often.


:thumbsup

my bolded in your comment
Exactly! I tried to explain that to our IT dept, before I left, but to a deaf ear. The system issues a random NEW number every 90 days. Now we have nearly 1000 employees writing their password and "hiding" it.

The program should at least allow selection of individual password with established restrictions so it would be somewhat strong....then only about 500 would need to write it down.

However, chances are, one is part of only one or two organizations that have password expiry requirements, and, chances are, these are organizations to which you log in every single day or so. It is in no way difficult to remember a new password every 3 months. It's like getting a new assigned parking space every 3 months. You'll be awkward for the first few days, but then you'll know where your car is pretty instinctively, because you'll use it everyday.

Learning the art of making good, strong, but easy-to-remember passwords, is an art.

Image
http://xkcd.com/936/
winglessangel31
 
Posts: 210
Joined: Tue Feb 12, 2013 5:53 pm

Re: Is it important to frequently change passwords?

Postby lightheir » Thu May 02, 2013 4:04 pm

Even safer and better than the recommendation from the comic strip above is to just use Keepass for all things financial or requiring security, and max out all the password generation complexity for the given website. Yes, you're then tied to Keepass to logon to the website, but that's likely good practice anyway to only logon to financials on your home computer except in real emergency (you can easily use logmein.com for remote access if that's necessary in a pinch and that way you're STILL on your home computer.)

With Keepass logons, you can change passwords as often as you like and you will never notice any added inconvenience in logging in. Very simple, and highly recommended. And free.
lightheir
 
Posts: 1280
Joined: Tue Oct 04, 2011 12:43 am

Re: Is it important to frequently change passwords?

Postby winglessangel31 » Thu May 02, 2013 4:21 pm

lightheir wrote:Even safer and better than the recommendation from the comic strip above is to just use Keepass for all things financial or requiring security, and max out all the password generation complexity for the given website. Yes, you're then tied to Keepass to logon to the website, but that's likely good practice anyway to only logon to financials on your home computer except in real emergency (you can easily use logmein.com for remote access if that's necessary in a pinch and that way you're STILL on your home computer.)

With Keepass logons, you can change passwords as often as you like and you will never notice any added inconvenience in logging in. Very simple, and highly recommended. And free.

That is a very valid alternative and I know many who use it. I don't do it though. Eggs in baskets, friend, eggs in baskets...
winglessangel31
 
Posts: 210
Joined: Tue Feb 12, 2013 5:53 pm

Re: Is it important to frequently change passwords?

Postby sunnyday » Thu May 02, 2013 5:08 pm

winglessangel31 wrote:
lightheir wrote:Even safer and better than the recommendation from the comic strip above is to just use Keepass for all things financial or requiring security, and max out all the password generation complexity for the given website. Yes, you're then tied to Keepass to logon to the website, but that's likely good practice anyway to only logon to financials on your home computer except in real emergency (you can easily use logmein.com for remote access if that's necessary in a pinch and that way you're STILL on your home computer.)

With Keepass logons, you can change passwords as often as you like and you will never notice any added inconvenience in logging in. Very simple, and highly recommended. And free.

That is a very valid alternative and I know many who use it. I don't do it though. Eggs in baskets, friend, eggs in baskets...


Instead of saving passwords on the cloud, I prefer to save them only locally using password management software like - 1password or keepass.
sunnyday
 
Posts: 1583
Joined: Sat Jul 16, 2011 9:48 am

Re: Is it important to frequently change passwords?

Postby BrandonBogle » Thu May 02, 2013 5:11 pm

I wish I could change my passwords only every 6 months. My employer requires we change them every 33 days!
User avatar
BrandonBogle
 
Posts: 1175
Joined: Tue Jan 29, 2013 12:19 am

Re: Is it important to frequently change passwords?

Postby FedGuy » Sat May 04, 2013 7:05 am

I use a fairly long, randomly generated, complex password at work. They still make us switch it every two months or so. So, I simply added a "1" to the end of the password. When I had to change the password, I simply changed the "1" to a "2," and later to a "3," and so on. They won't let you repeat any of your most recent 8 passwords, so I'll be okay as I go up to "9," then "0," and then back to "1."

The awkward thing about work is that there are various subsidiary websites for certain other things. So, if I want to look at a copy of my pay stub, I have to log in to a special website linked from my page's main site, which has its own password. Certain publications that I need to read once every few weeks are also on a different special website, which has its own password. There are a few others. I like to keep all the passwords the same, because otherwise it would be too confusing, but the subsidiary passwords aren't changed automatically when the main password changes. What tends to happen is that I log into one of the subsidiary passwords, find that my password is incorrect, realize I haven't updated it since updating the main password, I subtract 1 (or 2, depending on how long it's been) from the end of my password, log in, and change the subsidiary password to whatever my main password is at the time. It's not really the most efficient system, but at least I don't have to write my password down.
FedGuy
 
Posts: 636
Joined: Sun Jul 25, 2010 4:36 pm

Re: Is it important to frequently change passwords?

Postby lightheir » Sat May 04, 2013 9:25 am

winglessangel31 wrote:
lightheir wrote:Even safer and better than the recommendation from the comic strip above is to just use Keepass for all things financial or requiring security, and max out all the password generation complexity for the given website. Yes, you're then tied to Keepass to logon to the website, but that's likely good practice anyway to only logon to financials on your home computer except in real emergency (you can easily use logmein.com for remote access if that's necessary in a pinch and that way you're STILL on your home computer.)

With Keepass logons, you can change passwords as often as you like and you will never notice any added inconvenience in logging in. Very simple, and highly recommended. And free.

That is a very valid alternative and I know many who use it. I don't do it though. Eggs in baskets, friend, eggs in baskets...


I don't see any eggs in basket issue here if you mean that there's a risk of keeping all your passwords in one place.

Thats a real issue if you store things on the cloud but the odds of you getting the local copy hacked are infinitesimlaly small if you just use a local copy stashed on your computer. It's double authentication at its best - you would need both to access the local copy AND then hack the master password, which in combination is so unlikely that it's as good security as you'll get - far better than even Google double authentication. If you're that concerned you can even easily set Keepass to require finding a secret file (whatever you choose) on the same drive before it opens, so you will have TRIPLE authentication - local copy required, Keepass master password, and local secret file. With the local secret file set 'on', it's probably as safe as it gets even to store backup files of the keepass directory on the cloud or other media.

By far the best solution imo. Have been using it for years now.
lightheir
 
Posts: 1280
Joined: Tue Oct 04, 2011 12:43 am

Re: Is it important to frequently change passwords?

Postby The Wizard » Sat May 04, 2013 10:03 am

auntie wrote:I have tried many times to get someone to explain why passwords should be changed. If there's a reason nobody's ever told me what it is.

The reason is: it sounds like it my be a good idea to improve IT security. In reality, it's not, but "doing something" makes it look like the IT dept is on top of things...
Attempted new signature...
The Wizard
 
Posts: 6087
Joined: Tue Mar 23, 2010 2:45 pm
Location: Reading, MA

Re: Is it important to frequently change passwords?

Postby jupiter_man » Sat May 04, 2013 10:36 am

The Wizard wrote:
auntie wrote:I have tried many times to get someone to explain why passwords should be changed. If there's a reason nobody's ever told me what it is.

The reason is: it sounds like it my be a good idea to improve IT security. In reality, it's not, but "doing something" makes it look like the IT dept is on top of things...



Passwords should be changed to prevent against espionage and other silent lurkers, these people are not there for money or other one time advantage, but probably would like to get ongoing information from your email or other accounts that is of value to them. For example if an employee discovers/cracks/hacks the email login and password of the CEO, CFO etc then the employee could access email communications from their accounts. These type of hackers will use every trick so that their logins to these email accounts are not discovered so that they can continue to get access to the information. Now imagine if the CFO does not have to change the password ever, vs change it every x days, there is no doubt which will cause more damage.
User avatar
jupiter_man
 
Posts: 53
Joined: Fri May 03, 2013 9:02 pm

Re: Is it important to frequently change passwords?

Postby lightheir » Sat May 04, 2013 11:35 am

jupiter_man wrote:
The Wizard wrote:
auntie wrote:I have tried many times to get someone to explain why passwords should be changed. If there's a reason nobody's ever told me what it is.

The reason is: it sounds like it my be a good idea to improve IT security. In reality, it's not, but "doing something" makes it look like the IT dept is on top of things...



Passwords should be changed to prevent against espionage and other silent lurkers, these people are not there for money or other one time advantage, but probably would like to get ongoing information from your email or other accounts that is of value to them. For example if an employee discovers/cracks/hacks the email login and password of the CEO, CFO etc then the employee could access email communications from their accounts. These type of hackers will use every trick so that their logins to these email accounts are not discovered so that they can continue to get access to the information. Now imagine if the CFO does not have to change the password ever, vs change it every x days, there is no doubt which will cause more damage.


While it is true that more frequently password changing will lead to overall higher security (Google'd dbl authentication is a good example of a 2nd password that changes every MINUTE), most computer security experts say that in its current incarnation of single-password password changing that a lot of workplaces use, it's essentially useless and probably shouldn't even be done as it creates more security holes than security.

The VAST majority of people who change their password on a regular basis, usually because workplace rules force it, just add an incremental digit or character to the end of their password. If you think someone who is actually out to hack your passwords is going to be stopped by that one digit you're sadly mistaken - odds are FAR higher than a huge % of those very people adding those extra digits are writing the password down insecurely somewhere, which just compromises the security.

The double authentication with a passchanging keyfob or softwarefob (Goog dbl authentication) is a much better method as it uses true new complexity passwords, not just a single incrementing digit. Alas, you then need the keyfob or softwarefob to get in.

But after reading a fair amount on computer security password opinions in the past few years, it's pretty clear that the idea of changing your password every 2-3 months is pretty useless unless you literally create a whole new password each time to reset the password complexity. If you're just incrementing or changing a single digit in the password, you're only givin gyhourself a very false sense of security, for if they can breach your main password, that single character increment will not stop them at all.
lightheir
 
Posts: 1280
Joined: Tue Oct 04, 2011 12:43 am

Re: Is it important to frequently change passwords?

Postby Sunny Sarkar » Sat May 04, 2013 12:06 pm

First of all, in the broad scheme of things, you are only as safe as your primary/password recovery email is.

Now, regarding passwords... the xkcd piece above explains it best - most important: (1) make it long - because most attacks today are brute force attacks. After that the most important factor is (2) make them different, i.e. different passwords for different sites, so that even if one gets compromised, the others are safe. Eliminate the human factor next, (3) make them random by using a password generator to eliminate the possibility of social engineering. And then (4) eliminate the risk of keyloggers - do not type the password - this, and all the other factors (1 through 4), are easily implemented by using a password tool like LastPass. Beyond that, one suggested best practice is to keep a (5) separate password recovery email for the LastPass master password, i.e. a different email than the one used to log in.

All this sounds complex, but paradoxically, implementing all of the above with LastPass makes life a lot simpler than the standard strategy of remembering one/few password(s).
"Cost matters". "Stay the course". "Press on regardless". ― John C. Bogle
User avatar
Sunny Sarkar
 
Posts: 2260
Joined: Fri Mar 02, 2007 2:02 am
Location: Flower Mound, TX

Re: Is it important to frequently change passwords?

Postby gerrym51 » Sat May 04, 2013 12:10 pm

of course they should be changed-but i never do. :mrgreen:
gerrym51
 
Posts: 1556
Joined: Sat Apr 27, 2013 2:44 pm

Re: Is it important to frequently change passwords?

Postby BHCadet » Sat May 04, 2013 2:17 pm

At work, we have non-person accounts used by the web system to the backend databases.
The passwords for these non-person accounts don't expire.
For the day-to-day login account, it has to be changed every 90 days.

For my personal accounts, I don't change them often.
I have several passwords so if one account got break into, the other accounts wouldn't get compromised.
User avatar
BHCadet
 
Posts: 367
Joined: Sun Jan 15, 2012 1:47 am
Location: Southern California

Re: Is it important to frequently change passwords?

Postby BolderBoy » Sat May 04, 2013 5:02 pm

FedGuy wrote:I use a fairly long, randomly generated, complex password at work. They still make us switch it every two months or so. So, I simply added a "1" to the end of the password. When I had to change the password, I simply changed the "1" to a "2," and later to a "3," and so on. They won't let you repeat any of your most recent 8 passwords, so I'll be okay as I go up to "9," then "0," and then back to "1."


ROFL. This is what 99% of the people in my workplace (10s of thousands of employees) do and apparently they learned to do this by... "calling IT support".
BolderBoy
 
Posts: 885
Joined: Wed Apr 07, 2010 1:16 pm
Location: Colorado

Re: Is it important to frequently change passwords?

Postby Epsilon Delta » Sun May 05, 2013 10:07 am

lightheir wrote:
winglessangel31 wrote:
lightheir wrote:Even safer and better than the recommendation from the comic strip above is to just use Keepass for all things financial or requiring security, and max out all the password generation complexity for the given website. Yes, you're then tied to Keepass to logon to the website, but that's likely good practice anyway to only logon to financials on your home computer except in real emergency (you can easily use logmein.com for remote access if that's necessary in a pinch and that way you're STILL on your home computer.)

With Keepass logons, you can change passwords as often as you like and you will never notice any added inconvenience in logging in. Very simple, and highly recommended. And free.

That is a very valid alternative and I know many who use it. I don't do it though. Eggs in baskets, friend, eggs in baskets...


I don't see any eggs in basket issue here if you mean that there's a risk of keeping all your passwords in one place.

Thats a real issue if you store things on the cloud but the odds of you getting the local copy hacked are infinitesimlaly small if you just use a local copy stashed on your computer. It's double authentication at its best - you would need both to access the local copy AND then hack the master password, which in combination is so unlikely that it's as good security as you'll get - far better than even Google double authentication. If you're that concerned you can even easily set Keepass to require finding a secret file (whatever you choose) on the same drive before it opens, so you will have TRIPLE authentication - local copy required, Keepass master password, and local secret file. With the local secret file set 'on', it's probably as safe as it gets even to store backup files of the keepass directory on the cloud or other media.

By far the best solution imo. Have been using it for years now.

The local secret file does not solve the backup problem. If the secret file is not backed up then if you lose that file you lose all your passwords. If it is backed up (or is a commonly available file) then the bad guy can get at it.

You also need to make sure that you don't have a circular dependency in your backups, e.g. the password for your backups in in you KeePass file and the backup of you KeePass file is encrypted. One solution is to use a really strong password to encrypt a backup and write it down in indelible ink on water proof paper and store it in a safety deposit box.
User avatar
Epsilon Delta
 
Posts: 3354
Joined: Thu Apr 28, 2011 8:00 pm

Re: Is it important to frequently change passwords?

Postby lightheir » Sun May 05, 2013 10:14 am

The local secret file does not completely solve the problem, but it is an excellent way of adding double authentication to your security.

There is no doubt that if activated it substantially increases your chances of being hacked. It adds an entire layer of added security to the password, in different format, and difficult to reproduce. Copying the secret file is possible, but requires access to your native computer, even if you store your keepass database file backup online as an offsite backup.

The added local secret file, when implemented correctly, is stronger security than adding complexity to an already strong password, and adds trivial amounts of work to open the password database, as opposed to dramatically adding complexity to an already complex password.

It is in a sense, double authentication. As long as you don't keep the secret file in an easily copyable and easily identifiable location, you're good to go. And in terms of cloud access, even if you do store both the keepass dB and the secret file online somewhere so you can open the database remotely, it's STILL better than password alone (by a lot) as long as you don't store the same files right next to each other so they're obviously related. This way, you can still back up both.

The odds of a bad guy finding your secret file are very, very low. Throw in the complex password, and you've created a nastily hard database to crack, yet still easily accessible to yourself.
lightheir
 
Posts: 1280
Joined: Tue Oct 04, 2011 12:43 am

Re: Is it important to frequently change passwords?

Postby Epsilon Delta » Sun May 05, 2013 10:22 am

Sunny Sarkar wrote:(3) make them random by using a password generator to eliminate the possibility of social engineering. And then (4) eliminate the risk of keyloggers - do not type the password - this, and all the other factors (1 through 4), are easily implemented by using a password tool like LastPass. Beyond that, one suggested best practice is to keep a (5) separate password recovery email for the LastPass master password, i.e. a different email than the one used to log in.


These steps are questionable.
3) There are many cases of computer "random" number generators being broken. It is almost impossible to test a random number generator to see if it is broken. If you want random numbers do it yourself by throwing dice. A Boggle game is one way to do this. At least do this for your high security passwords.
4) Avoiding typing passwords is usually silly. "Key loggers" do a lot more than log keys these days.
5) A separate recovery e-mail may help, but you need to test it regularly. This is particularly true if you dial up security on the recovery account.
User avatar
Epsilon Delta
 
Posts: 3354
Joined: Thu Apr 28, 2011 8:00 pm

Re: Is it important to frequently change passwords?

Postby zaplunken » Sun May 05, 2013 3:52 pm

Epsilon Delta wrote:There are a few reasons to change passwords. Since you're using strong passwords and a password manager the most important reason is to keep up with improvements in software and hardware. This does not require frequent changes, every two to five years should be enough, or when you have notice that a technological leap has occurred.

Let's say I capture a copy of your password database. I can't break it with 2013 technology so I store it and set a note to self to retry later. Fast forward to 2023, and I now have ten years of technological improvements, Moore's law alone means it's easier to break by a factor of 30-100, never mind any improvements in the algorithms . You can't keep secrets from the future with math. If you never change your passwords your 2023 self will be in trouble.


Wow that's something I never would have thought of. Thanks for the tip, changing even complex passwords every few years is a wise thing to do!
User avatar
zaplunken
 
Posts: 702
Joined: Tue Jul 01, 2008 10:07 am

change not your passwords to reap folly

Postby manyness » Thu May 09, 2013 4:56 am

Given the financial nature around here I deem it imporant to mock those 'protecting' their bank sums with a MERE 4 digit pin

forsooth!

Within that banking institution ATM system your pin may be up to _16_ digits. For inter-atm depending on symbols of card the limit is actually _8_ digits.

This might require re-education of your bank's manager.

Showing might be more convincing for the feeble of mind.


And, yes, change that will regularity, too.
[ nosce te ipsum. (know thyself) ] ||| [ Be overcome by justice. Pursue honor. Be prudent. Find fault with no one. Deal kindly with everyone. Never tire of learning. ] ||| [ Long for wisdom ]
User avatar
manyness
 
Posts: 27
Joined: Thu May 09, 2013 2:33 am

Re: Is it important to frequently change passwords?

Postby johnep » Thu May 09, 2013 9:49 am

I managed a large IT organization for many years. My security staff insisted that all employees change their passwords every 60 days. I asked the security manager why should we require that when none of my financial accounts require a change in passwords ever. These financial companies would be on the hook for any losses. Most of our data and systems were not that sensitive to require stringent passwords. I never got a good answer to my question but he persisted. This is conventional thinking amongst security people.

Personally I think having strong passwords that are different for each sensitive account, i.e. financial, SS, insurance, etc. and adhering to other sound security principles is much more important than changing passwords frequently. The use of strong passwords makes them hard to remember if you change them frquently. There are password managers that you can use to deal with your passwords as well although I have not used any of them.
johnep
 
Posts: 1071
Joined: Wed Dec 28, 2011 10:56 am
Location: North Carolina

Re: Is it important to frequently change passwords?

Postby winglessangel31 » Thu May 09, 2013 3:38 pm

johnep wrote:I managed a large IT organization for many years. My security staff insisted that all employees change their passwords every 60 days. I asked the security manager why should we require that when none of my financial accounts require a change in passwords ever. These financial companies would be on the hook for any losses. Most of our data and systems were not that sensitive to require stringent passwords. I never got a good answer to my question but he persisted. This is conventional thinking amongst security people.

Personally I think having strong passwords that are different for each sensitive account, i.e. financial, SS, insurance, etc. and adhering to other sound security principles is much more important than changing passwords frequently. The use of strong passwords makes them hard to remember if you change them frquently. There are password managers that you can use to deal with your passwords as well although I have not used any of them.

Strong passwords hard to remember? Myth.
winglessangel31
 
Posts: 210
Joined: Tue Feb 12, 2013 5:53 pm

Re: Is it important to frequently change passwords?

Postby johnep » Fri May 10, 2013 7:47 am

winglessangel31 wrote:
johnep wrote:I managed a large IT organization for many years. My security staff insisted that all employees change their passwords every 60 days. I asked the security manager why should we require that when none of my financial accounts require a change in passwords ever. These financial companies would be on the hook for any losses. Most of our data and systems were not that sensitive to require stringent passwords. I never got a good answer to my question but he persisted. This is conventional thinking amongst security people.

Personally I think having strong passwords that are different for each sensitive account, i.e. financial, SS, insurance, etc. and adhering to other sound security principles is much more important than changing passwords frequently. The use of strong passwords makes them hard to remember if you change them frquently. There are password managers that you can use to deal with your passwords as well although I have not used any of them.

Strong passwords hard to remember? Myth.


Strong passwords are not hard to remember if you use acronym for a favorite phrase and combine with numbers that are memorable. You can even include capital letters and a special character to remember. I have one weak password that I use for non sensitive websites but use different strong passwords for each financial site I use. The more strong passwords you use, the more challenging it will be, but everybody has some favorite phrases they can use. Just make sure it is not so popular that it can be easily guessed.
johnep
 
Posts: 1071
Joined: Wed Dec 28, 2011 10:56 am
Location: North Carolina

Re: Is it important to frequently change passwords?

Postby Epsilon Delta » Fri May 10, 2013 1:00 pm

johnep wrote:Strong passwords are not hard to remember if you use acronym for a favorite phrase and combine with numbers that are memorable. You can even include capital letters and a special character to remember. I have one weak password that I use for non sensitive websites but use different strong passwords for each financial site I use. The more strong passwords you use, the more challenging it will be, but everybody has some favorite phrases they can use. Just make sure it is not so popular that it can be easily guessed.


People are bad judges of random, just because "O4aMof,twaTbhoi,Akfas,ptaAmtbtss!" looks random does not mean it is random and it is probably used in dictionary attacks.

It's hard to calculate exactly but these passwords are not strong. The Oxford Dictionary of Quotations has about 20,000 entries. Throw in a few other reference works to cover other parts of the culture and your still talking about 100,000 phrases that include many peoples "memorable phrases". That's less that 17 bits of entropy, which means the vast majority of your security has to be in your "modifications" and those are hard to remember.

If you're going to use a phrase to get your entropy at the very least it has to be personal to you: no song lyrics, no Shakespeare, no Bible, no published authors. It's probably easier to use diceware.
User avatar
Epsilon Delta
 
Posts: 3354
Joined: Thu Apr 28, 2011 8:00 pm

Re: Is it important to frequently change passwords?

Postby Calm Man » Fri May 10, 2013 1:04 pm

IT people are good people in general. For some reason, once a company has an IT group, there appears to be a necessity to "do things". Frequent emails apologizing for service that will be down for maintenance at 3 AM of a 3 day weekend and offering to make special arrangements as needed. Or what this thread is about. Change the password every 90 days. So what do I do as I am now consulting at a few companies? I use the identical password at an individual company and add a number. I start with 1. Then I change the last number to 2. Then 3. I write it down. How else could people remember these things. The companies won't allow access to sites like dropbox or keepass for additional reasons that I don't understand. But that's life.
Calm Man
 
Posts: 2688
Joined: Wed Sep 19, 2012 10:35 am

Re: Is it important to frequently change passwords?

Postby diasurfer » Fri May 10, 2013 1:13 pm

This topic comes up frequently on the board. Since it is arguably part of financial security, it would be nice if the knowledgeable posters to this thread added a section to the bogleheads wiki about the various options for securing online passwords.
diasurfer
 
Posts: 1820
Joined: Fri Jul 06, 2007 9:33 pm
Location: miami-dade

Re: Is it important to frequently change passwords?

Postby whomever » Fri May 10, 2013 1:41 pm

I have tried many times to get someone to explain why passwords should be changed. If there's a reason nobody's ever told me what it is


Bruce Schnieir, I think, had an interesting article on this a year or two ago. He made an interesting point that one overlooked point was whether you would notice a password compromise.

If, for example, your amazon.com password is compromised, you'd likely notice pretty soon - the attacker is unlikely to just watch your want list; they will instead be ordering widgets for delivery to strange addresses. You will notice that, call your credit card company, and all will be OK, modulo some minor hassles.

The more insidious case is where you might not notice a compromise - your email account might be an example. If an attacker got that password, they could quietly listen in, or act as you, for an extended period without it being obvious that they were doing so. Schnieir's point was that passwords like that were important to change regularly, while the ones where misuse will be obvious might not matter as much.
whomever
 
Posts: 188
Joined: Sat Apr 21, 2012 6:21 pm

Re: Is it important to frequently change passwords?

Postby VictoriaF » Fri May 10, 2013 1:53 pm

whomever wrote:Bruce Schnieir Schneier


Victoria
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
VictoriaF
 
Posts: 11764
Joined: Tue Feb 27, 2007 8:27 am
Location: Black Swan Lake

Re: Is it important to frequently change passwords?

Postby VictoriaF » Fri May 10, 2013 2:00 pm

Calm Man wrote:IT people are good people in general. For some reason, once a company has an IT group, there appears to be a necessity to "do things".


This is an instance of the principal and agent problem. A user, the principal, wants a flawless operation. An IT operator, the agent, wants to have excuses for inevitable security breaches. Blaming stupid users is common--even when stupidity is forced on the users. Bruce Schneier mentioned above calls it security theater.

Victoria
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
VictoriaF
 
Posts: 11764
Joined: Tue Feb 27, 2007 8:27 am
Location: Black Swan Lake

Re: Is it important to frequently change passwords?

Postby winglessangel31 » Fri May 10, 2013 2:00 pm

Calm Man wrote:IT people are good people in general. For some reason, once a company has an IT group, there appears to be a necessity to "do things". Frequent emails apologizing for service that will be down for maintenance at 3 AM of a 3 day weekend and offering to make special arrangements as needed. Or what this thread is about. Change the password every 90 days. So what do I do as I am now consulting at a few companies? I use the identical password at an individual company and add a number. I start with 1. Then I change the last number to 2. Then 3. I write it down. How else could people remember these things. The companies won't allow access to sites like dropbox or keepass for additional reasons that I don't understand. But that's life.

You could maybe start by reading what the other posts are suggesting for good, easy to remember passwords. :P
I always use this example:
Image
http://xkcd.com/936/
winglessangel31
 
Posts: 210
Joined: Tue Feb 12, 2013 5:53 pm

Re: Is it important to frequently change passwords?

Postby winglessangel31 » Fri May 10, 2013 2:01 pm

Epsilon Delta wrote:
johnep wrote:Strong passwords are not hard to remember if you use acronym for a favorite phrase and combine with numbers that are memorable. You can even include capital letters and a special character to remember. I have one weak password that I use for non sensitive websites but use different strong passwords for each financial site I use. The more strong passwords you use, the more challenging it will be, but everybody has some favorite phrases they can use. Just make sure it is not so popular that it can be easily guessed.


People are bad judges of random, just because "O4aMof,twaTbhoi,Akfas,ptaAmtbtss!" looks random does not mean it is random and it is probably used in dictionary attacks.

It's hard to calculate exactly but these passwords are not strong. The Oxford Dictionary of Quotations has about 20,000 entries. Throw in a few other reference works to cover other parts of the culture and your still talking about 100,000 phrases that include many peoples "memorable phrases". That's less that 17 bits of entropy, which means the vast majority of your security has to be in your "modifications" and those are hard to remember.

If you're going to use a phrase to get your entropy at the very least it has to be personal to you: no song lyrics, no Shakespeare, no Bible, no published authors. It's probably easier to use diceware.

it also doesn't even always have to make sense :P
winglessangel31
 
Posts: 210
Joined: Tue Feb 12, 2013 5:53 pm


Return to Personal Consumer Issues

Who is online

Users browsing this forum: arf30, Bing [Bot], dbltrbl, Google [Bot], markwarren66, sunnyday, technovelist, Yahoo [Bot] and 92 guests