General discussion

Locked

Convince me I should change my password

By Shanghai Sam ·
I've study the issue and read all the reports, and I am just not convinced that frequent changes of passwords improve security.

To all the security pros out there. Convince me that I am wrong.

The current mantra about passwords goes somethinglike this:
- make them difficult.
- use a unique password for every application, ie. don't use the same password on two or more systems.
- change them frequently.
- don't reuse passwords.

Taking into account my yahoo, hotmail, a dozen shopping sites, techrepublic, 15 applications at my office, and a bit of Internet banking, I probably would need 30 odd, unique, passwords.

Which all should be changed every three weeks or so.

And should never be repeated.

If I had to enforce this policy at my company all I would do is encourage the writing down of passwords. Golly-geez, now I am really secure (not!).

So, ... I propose that a password policy should be something like this.

- create three, very difficult to guess, passwords of 12 characters or more.

- use one for the office, use one for the internet, and the last one for your personal finances (banks, stocks, etc).

- change the passwords once a year.

The logic behind changing passwords frequently is limit the time of exposure of a breach. Now, if the policy is to change once a month then the mean time of exposure is 2 weeks. Just how much "security" have I got if I limit a bad guy to having only two weeks access?

Using this logic I should require passwords to be change every day, or even better, ever hour! Now THAT would limit my exposure window.

So there it is, convince me that frequent change to passwords improves my security.

Thank you for your input.

Craig

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Risk Ranges

by generalist In reply to Convince me I should chan ...

A lot depends upon the range of risks you face if a password is determined.

If an area is low risk, change it once every year or so and use the same password.

If an area is high risk, consider using more than one password that is changed more frequently. Also avoid having the same password for the high risk accounts, otherwise a cracker might reuse it.

Of course, when it comes down to memorizing things, you could always put the passwords on bits of paper that are stored in one or moresafe places. And if those items don't have an obvious link to the accounts they access, they are fairly safe.

Of course, the one thing I always wonder about is the possibility of changing a password so that you step into the path of a cracker. (i.e. a cracker is using a modified 'dictionary' approach and you change your password so that it is in the way of his/her search.)

Collapse -

Yes.... could go either way, eh?

by admin In reply to Risk Ranges

Could put you in or out of the path...

I liked your "passwords on safe paper" approach. It's better than mine. I usually have to recover them electronically when I forget them, which makes me wonder a little of why I have them. It's like my housereally. Someone could potentially get through both locks on each door, someone could even bypass the alarms and battery back-ups. In fact, they may even do it without getting on video, possibly... but they will probably just hit an easier house.
It seems like so many passwords is more of a problem of human memory primarily anyway. The average human brain can only remember so many combinations etc. and this of course pales in comparison to the level of force an even relatively small home computer can now do. Interestingly, once root is gained several places, a pattern can be figured out and greatly decrease the time required in the future (I think you allude to this?).
Sometimes it's easier to reduce the risk at the data than at the door. But secure the door anyway, at least enough for them to find greener pastures.

Collapse -

You might want to add...

by Shanghai Sam In reply to Convince me I should chan ...

...at least a mix of letters and numbers not found in a dictionary if you are really concerned. This will at least stop the dictionary cracks.
After this, it really can compromise the security of the system you are logging into if you use the same one for multiple sites, but this may be ok. Some programs/ OS's are almost impossible yet some are quite easy to retrieve username and password from. See this for a small taste:
http://www.elcomsoft.com/prs.html
The difficulty lies in someone retrieving your UN and PW from a reletively insecure system and using it on a more secure one. Also, new vulnerabilities are discovered nearly daily, by changing your password you will be one step ahead after the sysop patches the hole, which greatly helps you AND him, in some cases.
This, of course, doesn't even begin to address the insecurity of a Windows home box with the passwords cached on it -especially if it has a full time internet connection.
Of course, the easiest factor is often overlooked- the human one. You are right about sticky notes in top drawers and that "Emergency" cell phone call that gets the password from the staff at your company. Many Pro's miss the forest for the trees with secure electrons and insecure human enviroments.
I think you are on the right track, seperating the amount of risk you can accept on different systems and planning accordingly. I would definately change my bank account more than once a year though, and I would consider more factors than just "time of exposure" when planning.

Collapse -

I agree about changing passwords

by swat3commander In reply to You might want to add...

I agree big time with changing your password on everything you log on too like this site,hotmail,yahoo once a month is good to change and have some numbers added to your passwords always remember to write down your new password on a papper doe.

Collapse -

Re: Passwords

by Shanghai Sam In reply to Convince me I should chan ...

Well Craig it is very important to change your passwords. Why, here is why...There are lots of people known as "hackers". They love the challenges of cracking passwords sometimes for fun sometimes for revenge.

If a hacker has access to any info especially bank or credit card that means a hacker can purchase products using your credit card and even making transactions of certain amount of cents to be transfer to another account from your account. You know you add pennies together you get a dollar, a dollar here and there also adds up..

Best way to do it if you want to use just a few passwords. Your passwords should be b/w 8 & 14 alpha-numeric characters so they are harder to crack and cannot be cracked by a dictionary attack. If you know multiple languages, pick a word on a different language, if you can add symbols to your password do it, if the password is case sensitive then make uppercase mix with lowercase and numbers of course.

There are plenty of tools out there available to crack any password including e-mail passwords. If you feel that your information is not worth securing, then go ahead don't change the passwords and don't make them difficult. Let others play with your information send e-mails from your e-mail and get you in trouble. By the way go ahead and write down your passwords as other smart people are saying.... You're just going against the purpose of "passwords". I know they can be annoying, but they will protect your information.

It's that clear enough or you need more detail explanation....

Collapse -

tracking postings

by Kima In reply to Re: Passwords

Just keeping track of posting...

Back to Security Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums