Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Often Should You Change Your Password?

CmdrTaco posted more than 3 years ago | from the every-eight-seconds dept.

Security 233

jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."

cancel ×

233 comments

Sorry! There are no comments related to the filter you selected.

To Change or Not To Change (3, Insightful)

WrongSizeGlass (838941) | more than 3 years ago | (#34196924)

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

Re:To Change or Not To Change (4, Interesting)

Rob the Bold (788862) | more than 3 years ago | (#34197100)

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

A brute force attack shouldn't be that much of a concern with a login password, assuming that the system limits how often and how many times the brute force attack can retry. And presumably, the system would notify the account holder or administrator (or both) as to the unusual number of failed attempts.

Now if you're trying to brute force an intercepted message, that would be different. You'd have as many attempts as you could afford to crack it and all the time in the world to do it. At least until the data contained in the message was no longer useful to know.

I suppose that a password that was "strong" in the sense of "hard to memorize quickly" would be helpful against the "over the shoulder" attack.

Re:To Change or Not To Change (3, Interesting)

HungryHobo (1314109) | more than 3 years ago | (#34197342)

"strong" is all about cracking hashed passwords.

a very common attack is where the attacker gets hold of the hashed passwords one way or another.

even a single *wierd* character can defeat that, learn a code for some unusual unicode character and include it and then you don't have to worry too much about that attack because the search space is massive.

any 8 character all lowercase can be cracked overnight.
8 character lowercase + numbers can be cracked in a reasonable time assuming people only use it weakly like only putting 1 number in at the end.

Example: passwor9

same thing with having an uppercase character but only as the first character in the password.

Example: Passwor9

using dictionary words in any language makes it trivial and reasonable assuming your only uppercase is at the start and only lowercase is at the end.

Example: Trustno1

these substitutions in the middle of a password also only add a small bit of strength, they're not worth much.
7 for T
0 for O
5 for S

Example: Tru57no1

Strength is all about how hard it is to crack when given a hash of it.

Re:To Change or Not To Change (2)

windcask (1795642) | more than 3 years ago | (#34197458)

any 8 character all lowercase can be cracked overnight.

What are you using, a 386? Anybody using a GPU-enabled instance of hashcat can break that in seconds.

Re:To Change or Not To Change (3, Interesting)

Lumpy (12016) | more than 3 years ago | (#34197716)

Fail.

Most rainbow tables already have those commonwords written like that. just because you discovered L33t speek, does not mean the cracking tables are already set up to crack those.

Better soluton is 2 words with special characters.

Fred-Stinks87
2Fun4You!
This-IS_My&Password

work far better and cant be added to rainbow tables easily.

Paswords are stupid and easy to crack with tricks because nobody uses AFSDWER$fq34agfre as a password. PASS PHRASES are far stronger and super easy to remember. Use at least 2 words with special characters and you are already 800X better off that everyone else.

Re:To Change or Not To Change (4, Funny)

.sig (180877) | more than 3 years ago | (#34197880)

nobody uses AFSDWER$fq34agfre as a password

Great, now I've got to go change all my passwords...

Re:To Change or Not To Change (3, Interesting)

poetmatt (793785) | more than 3 years ago | (#34197824)

you're correct that a lot of measures such as substituting letters for numbers don't do much.

if you want to make it more difficult, add length to a password along with the password. Gizmodo or some gawker site talked about this once and it's a great password concept.

Example password for everything : Anon4321

add to it the website you're on, so sdAnon4321 or slashdotAnon4321. or twitter becomes tAnon4321

etc. you can choose what your variable is for each website, so to speak, and it's still a simple concept for people since they keep remembering the same password.

That way you can apply that same concept if you rotate your passwords too and it would modify them all but keep the consistency.

Re:To Change or Not To Change (3, Insightful)

leuk_he (194174) | more than 3 years ago | (#34197152)

Make the requirement to complicated and users will work arround it.
1 -Put it on a yellow memo under the keyboard (YES YOU!!!)
2 -Take a complicated password.... and add a increment before or after it everytime you have to change. (if you have a automated policy against this, see 1. )

PS.. greetings from mordoc the information preventer in 1998 [dilbert.com]

Re:To Change or Not To Change (1)

WrongSizeGlass (838941) | more than 3 years ago | (#34197228)

I give my clients a simple process to create 'strong' passwords out of normal words or phrases (preferably 10+ chars) that makes them easy to remember. It's not foolproof but it does give them a much better chance against the "123456" password mentality.

Hundreds of passwords [Re:To Change or Not To...] (2, Interesting)

Geoffrey.landis (926948) | more than 3 years ago | (#34197732)

I give my clients a simple process to create 'strong' passwords out of normal words or phrases (preferably 10+ chars) that makes them easy to remember.

Yeah, and if your clients only have one password to ever remember, and didn't have to change it, that would solve the problem. I have fifty passwords, many of which have to be changed every three months. Do you give your clients a "simple process" to create two hundred passwords per year, and remember which one goes with which system?

By the way, the single most important thing you should do to make sure your clients are secure is to make sure that they don't use the same password to access different systems. If they re-use their password on an insecure phishing site, doesn't matter how "strong" it is with "10+ chars"; it might as well be 123456.

Obligatory XKCD [Re:Hundreds of passwords...] (3, Funny)

Geoffrey.landis (926948) | more than 3 years ago | (#34197776)

Speaking of which, I'm surprised nobody has posted the link to the relevant xkcd yet.

http://xkcd.com/792/ [xkcd.com]

Re:To Change or Not To Change (1)

Rob the Bold (788862) | more than 3 years ago | (#34197334)

2 -Take a complicated password.... and add a increment before or after it everytime you have to change. (if you have a automated policy against this, see 1. )

My bank makes me change passwords every 6 months, as has the "complicated" requirement. Any password that passes the "complicated" test is almost certainly difficult to remember. After quite a few tries, I finally came up with something that I could remember -- and my wife too -- and that the system would accept. Whew.

Fast forward six months I find out about the "must change" rule. I managed to get myself locked out during the process trying to find another suitable password and had to call tech support. I complained at the time about the 6 month rule. "Oh that's no problem, said the nice lady at the help desk. Just do what I do and add a '1' at the end!"

Re:To Change or Not To Change (1)

Lumpy (12016) | more than 3 years ago | (#34197764)

Most of those systems have an epic fail in them.

Forced password change has to be complex and meet rules.
Manual pasword change has less rules.

I usually do their dance, log in and change my password back to my 40 char password that I have used for 4 years. Works like a charm.

How about your bank stop being cheap about your security and allow you to use a verisign dongle?

Re:To Change or Not To Change (1)

SQLGuru (980662) | more than 3 years ago | (#34197388)

Most automated policies fail if the sequence is located in the middle of your password.

pass1word
pass2word
pass3word
etc.

It's because they just check the hash and the middle digits affect the hash in an "unexpected" manner.

Re:To Change or Not To Change (1)

knarfling (735361) | more than 3 years ago | (#34197466)

Make the requirement too complicated and users will work arround it.

PS.. greetings from mordoc the information preventer in 1998 [dilbert.com]

Not if you make it complicated enough. Force them to use a different doodle or a different squirrel noise each time that can't be written down, and you get rid of the yellow sticky note issue. And in 1998 they had no real comprehension of how to prevent access to useful systems. Take a look at an updated Dilbert [dilbert.com] from 2005 for how to really prevent stolen passwords as well as how to prevent access.

Re:To Change or Not To Change (1)

Idarubicin (579475) | more than 3 years ago | (#34197186)

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

I'll grant you the over-the-shoulder issue, though except for extremely dedicated watchers that is easily defeated by trivial modification. The canonical "password" falls to the shoulder surfer, but "pasSword" or "pasword" or "password." or even "psword" are going to be missed. (A keylogger gets them all, of course, but that's also going to get genuinely 'strong' passwords.) Meanwhile, brute-force attacks are of concern for encrypted documents and the like (where you can take an unlimited number of attempts) but are nearly useless against things like account logins which will lock you out after three to five failed attempts.

Re:To Change or Not To Change (1)

HungryHobo (1314109) | more than 3 years ago | (#34197424)

like account logins

assume an attacker will get the list of hashed passwords because it's a very common way of getting into accounts.

Re:To Change or Not To Change (1)

TheRaven64 (641858) | more than 3 years ago | (#34197516)

On most *NIX systems, the hashes are stored in a shadow password file, which only root can view. If the attacker is already in the system with root access, there are much easier ways of getting access to your account than decrypting your password.

Re:To Change or Not To Change (0)

Anonymous Coward | more than 3 years ago | (#34197838)

Failure of imagination:

Consider an "online store", which stores credentials in a "database". The database does not run as root. The attacker probably wants to steal your credentials -- not so they can log in to the online store, but so that they can use your password and credit card details on ebay.

Re:To Change or Not To Change (1)

pilgrim23 (716938) | more than 3 years ago | (#34197896)

ISP: "Your password should be at least 8 characters and include at least one special character and one number" Online Service: "Your password should be 6 to 8 characters and include at least 1 number, no special characters. Next Online service: "Your password Must begin with a number and be at least 16 characters" and so on. Consistency may be the hobgoblin of small minds but it WOULD be nice once and a while...

thanks for the advice! (0)

Anonymous Coward | more than 3 years ago | (#34196932)

I just changed mine to 54321a

They'll never hack me now!!!!!!!!!!!!!!!!1111111111111111oneone

As often as is convenient for the user. (2, Interesting)

chemicaldave (1776600) | more than 3 years ago | (#34196936)

It depends on the user's preference, how secure the application is, and most importantly how secure the password is. A sufficiently strong password will have a minimum to how often it should be changed to protect from passwords being leaked (although this shouldn't be much of a problem either if passwords werent stored in plaintext or easy to decrypt ciphers).

Re:As often as is convenient for the user. (1)

Bert64 (520050) | more than 3 years ago | (#34197280)

The problem is that the user often has no idea how a given application will be storing their password...
It's not uncommon for webapps to store passwords in plain text for instance...
Quite often you get weak hashing, for instance a single round of MD5 with no salt, or passwords stored using reversible algorithms...

Then you have the windows hashing scheme, where you can authenticate using the hash without needing to crack it at all.

With online apps, sometimes you can tell they're storing the passwords in plaintext or reversible forms because the password recovery option will actually send you your original password, something which would not be possible with a sensible one way hashing algorithm.

People also reuse passwords in multiple places, so it's all well and good one site storing your pass using salted SHA512, but if you use the same pass on a site which stores it in plaintext your still very much at risk.

What's the point? (1, Informative)

fieldstone (985598) | more than 3 years ago | (#34196938)

If someone steals your password, as I learned when my gmail account was hacked, the first thing they're going to do if they know anything is change both your password and your security questions. The only way changing your password will help is if the person who's stolen it is too dumb to do this, and that seems unlikely.

Re:What's the point? (2, Insightful)

clang_jangle (975789) | more than 3 years ago | (#34197062)

So IOW since preventative measures are not adequate 100% of the time for 100% of users, screw it all?

I don't think so...

Interestingly enough, not one really tech-savvy person I know has complained of being hacked -- it's always the morons whose username is also their password, or who use "654321", or who insist on allowing the browser to remember their logins for them. For those people you're right, "what's the point?" -- for the rest of us though, such measures generally work pretty well.

Re:What's the point? (2, Interesting)

fieldstone (985598) | more than 3 years ago | (#34197154)

Maybe I'm missing something here, but what's the problem with allowing the browser to remember logins for you if you don't ever allow anyone else to use your computer? I'm reasonably sure the way my account was hacked was when I stupidly logged into it on someone else's computer.

Re:What's the point? (3, Informative)

clang_jangle (975789) | more than 3 years ago | (#34197288)

Maybe I'm missing something here, but what's the problem with allowing the browser to remember logins for you if you don't ever allow anyone else to use your computer?

The browser can be hacked; most of them have been at one time or another. Any data stored in the browser can potentially be retrieved by a third party. Personally, I consider memorizing a few passwords and their variants to be effort well-invested,

I'm reasonably sure the way my account was hacked was when I stupidly logged into it on someone else's computer.

That's one way it can happen.

Re:What's the point? (1)

bmo (77928) | more than 3 years ago | (#34197494)

I ran into one where the username was a name and a number

The number then became the password.

"How did they guess the password?" was the question asked of me.

--
BMO

Re:What's the point? (4, Insightful)

zn0k (1082797) | more than 3 years ago | (#34197072)

That isn't always true at all.

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

Re:What's the point? (4, Funny)

fieldstone (985598) | more than 3 years ago | (#34197166)

Ah. Very good point. I hadn't considered the jealous girlfriend / boyfriend angle.

Re:What's the point? (3, Insightful)

Idarubicin (579475) | more than 3 years ago | (#34197502)

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.

This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.

Re:What's the point? (3, Informative)

rvw (755107) | more than 3 years ago | (#34197726)

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.

This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.

Gmail displays this information in the footer of the page. However, you must be aware of this, and you have to know what it means, what your IP-address is, etc. I know this info exists, but I almost never look at it to be honest.

Re:What's the point? (1)

muckracer (1204794) | more than 3 years ago | (#34198008)

> > the simple precaution of displaying the last date, time, and location from which I (putatively) logged in.

> Gmail displays this information in the footer of the page.

Yes, and that's the wrong place for it. New e-mails are on top and if your list is set to 100 (or 200) you'll never have a need to scroll down. It needs to be obvious. Ergo: on top! Google...u listening?

Re:What's the point? (1)

Idarubicin (579475) | more than 3 years ago | (#34197580)

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

...Of course, if I'm forced to change my password once per month, the guy reading my email who finds out that "SooperSekrit53" stopped working is going to guess that the new password is "SooperSekrit54".

Re:What's the point? (2, Insightful)

TheRaven64 (641858) | more than 3 years ago | (#34197606)

The point of changing your password is usually to protect against offline attacks. If it took an average of 6 months of computer time (on the computer that an attacker could reasonably be expected to use) to generate a password from the hash, then changing the password every 3 months means that you probably won't still be using the password by the time someone has cracked it. This is why encrypted protocols periodically renegotiate session keys - so they're not using one for long enough for an attacker to crack it.

These days, it doesn't make much sense. An attacker that cares enough will buy some time on a botnet to do the cracking. They can either crack the password in a reasonable amount of time, or they can't in hundreds of years. There aren't many cases where they can crack it in 6 months but can't crack it in 3, for example.

The other reason is to block people intercepting your communications. For example, if a competitor gets your email password, he won't change it, he'll just grab a copy of all of your mail and steal trade secrets. If you change the password periodically, he needs to keep stealing it.

All sounds pretty reasonable (2, Interesting)

Chrisq (894406) | more than 3 years ago | (#34196940)

All sounds pretty reasonable and pretty obvious. I wish someone would tell our security department. They force fourtnightly changes, with ten days warning of expitation. That means you either change more than once a week or have the expiration password pop up!

Re:All sounds pretty reasonable (3, Insightful)

hedwards (940851) | more than 3 years ago | (#34197006)

One of the very real problems out there is that it's more or less impossible to have strong passwords that are changed on a regular basis for everything. I've personally got nearly 500 log ins that I use from time to time and even just changing them once every few months takes a really long time.

Re:All sounds pretty reasonable (1, Funny)

Anonymous Coward | more than 3 years ago | (#34197036)

Just go from password1 to password9 then loop back to password1. If they keep a list of previously used passwords, just keep adding one.

I'm now at password5842, thanks to our extremely efficient security department!

Re:All sounds pretty reasonable (1)

bennomatic (691188) | more than 3 years ago | (#34197402)

Mines similar; they require monthly changes with 10 days expiration warning. But here's the rub: we have something like 25 internal systems which are not SSO-enabled, so for that 10 days, I might get the warning a dozen or more times. Nice, huh?

Case to case (1, Insightful)

immakiku (777365) | more than 3 years ago | (#34196954)

His argument is only valid for certain cases, where damage done can be spread out over the course of days or weeks. Sometimes the majority of damage/benefit derived can be derived within minutes or hours. Example: access to a victim's email account (to mine contact list or to spam or to impersonate) or access to a bank account, in which a sizable transfer can be done immediately.

Re:Case to case (2, Informative)

Anonymous Coward | more than 3 years ago | (#34197214)

Bruce makes that same point in the full article, it just wasn't mentioned in the summary. ...yeah yeah, nobody RTFAs :(

Re:Case to case (1)

bennomatic (691188) | more than 3 years ago | (#34197438)

Sorry to be pedantic, but it should be, "yeah yeah, nobody RsTFA"

Re:Case to case (0)

Anonymous Coward | more than 3 years ago | (#34197520)

Actually, if you RTFA, you'll see that his argument is very much like yours. He says that MOST cases fall into one of a few groups:

Immediate damage: eg. bank account, emptied as soon as the account is hacked. No need to change frequently you'll notice when the account is hacked.
Professional snoop: Quite (you wont notice the hack), but able to put in a backdoor once in. Not really a need to change, the backdoor is in immediately so your not locking him out.
Unimportant accounts: If hacked who cares? No need to change frequently.
Casual snoop: eg. sibling/spouse/paparazzi. The unprofessional snoop will be foiled by this stuff, so this might be valid for your social network stuff.

Of the four groups, only one of them is worth changing frequently. The summary is actually really bad as it sums up the point he is countering.

Re:Case to case (0)

Anonymous Coward | more than 3 years ago | (#34197882)

Example: access to a victim's email account (to impersonate)

What are you doing on /. if you don't know you do not need a password to impersonate an email address?
Anybody can log in to any mail server, claim to be barack.obama@whitehouse.gov or cmdrtaco@slashdot.org, and send mail.

Perfect timing (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34196976)

About 99% of the time it would take to brute force it.

Re:Perfect timing (1)

mrnobo1024 (464702) | more than 3 years ago | (#34197248)

What if the attacker is brute forcing it in a random order? That time could be under a second if he's very lucky.

Whenever you... (5, Funny)

digitaldc (879047) | more than 3 years ago | (#34196982)

...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.

Re:Whenever you... (1)

Jazz-Masta (240659) | more than 3 years ago | (#34197156)

...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.

Not even. I've had users go through the trash in order to find the post-it note they had on their monitor that fell off when the cleaners went through the office.

It's also crucial to change passwords (for websites) using the forgot password function whenever they "accidentally" delete their cache/forms/passwords in IE.

Sorta like SecurID (0, Offtopic)

TuxCoder (1641657) | more than 3 years ago | (#34196984)

I've always thought the SecurID [rsa.com] system was interesting. If you're not familiar with it (and are too lazy to click the link or google it), it involves a little keyfob receiver that displays the current numeric password. The numeric password changes every 60 seconds (which might be configurable at the transmitting end), and is meant to augment your existing credentials.

Why Use a Password? (4, Funny)

NavyNasa (18525) | more than 3 years ago | (#34196988)

Are you hiding something?

Re:Why Use a Password? (1)

Kakari (1818872) | more than 3 years ago | (#34197224)

Well done sir/ma'am.

This isn't Sam's club (4, Insightful)

qoncept (599709) | more than 3 years ago | (#34196990)

If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless."

Unless, you know, you log in and it prompts you to change the password. Now it's not only useful to the person who stole it, but useless to the person it actually belongs to.

I personally don't think password changes should be required unless there is a specific reason. Someone hacked your account? Change your password.

If you have passwords for a couple dozen systems (very easy) and each of them requires you to change your password every 3 months, you're going to start forgetting them. So you don't, you're going to start writing them down or storing them in some way. Or you're going to increment a number in your password, so it's still basically the same. Or you're going to use the same password for slashdot and faceboook.com (see that? it's a spoof site designed to steal passwords) and your bank account.

Re:This isn't Sam's club (1, Funny)

Rob the Bold (788862) | more than 3 years ago | (#34197212)

If you have passwords for a couple dozen systems (very easy) and each of them requires you to change your password every 3 months, you're going to start forgetting them. So you don't, you're going to start writing them down or storing them in some way. Or you're going to increment a number in your password, so it's still basically the same. Or you're going to use the same password for slashdot and faceboook.com (see that? it's a spoof site designed to steal passwords) and your bank account.

Thanks, man. I quickly logged in and changed my faceboook and bank passwords. You saved me a great deal of hassle and money!

Re:This isn't Sam's club (1)

ducomputergeek (595742) | more than 3 years ago | (#34197508)

Our software forces users to change their password every 90 days and it can't be the same as any of the last 4 passwords. This is do to PA-DSS compliance. Interestingly, one of the top 3 complaints we get: we force users to change their password every 90 days and it can't be the same as the last 4 used.

Re:This isn't Sam's club (0)

Anonymous Coward | more than 3 years ago | (#34197552)

Statistically and in the real world its been shown time and time again that keeping your really complex, changes relatively often, never going to remember them in a million years passwords on a post it note taped to your monitor is FAR more secure than using the same shitty easy to guess password, everywhere you need one and never changing it.

Easy passwords take short amounts of time to guess and can be done using a bot net of computers anywhere across the globe, not just at the hackers house. Keeping it the same means even a virus on a public PC you used once and never touched again has the potential to have your password, and with that, the gateway to gathering more passwords via the information obtained there.

Getting your post it note requires at the very minimum, standing in front of your desk to see it. Thats a big security risk.

Since really, you'd remember your important passwords quickly anyway, and the post it note would be kept out of plain site, you've rapidly become FAR more secure by ...

Writing your passwords down rather than making them so easy it only takes 4 tries to guess.

You don't need to take my word for it, even Mr Schneier has stated this in the past, just go browse around his website (maybe its on his company site, can't remember).

Change them every three months, write them down, store them electronically in an encrypted format with a password you can remember even though you change it often., theres even software specifically designed to do this, and you'll be more secure for doing what some idiot told you was a bad idea because he/she didn't take into account that you're a lazy SOB and won't do the right thing for security.

Proper password management means you have a unique password for every place you need one, its sufficiently hard to guess and changed relatively often, and only keep them in your memory.

Thats hard, and reserved for those with few systems or REALLY REALLY good memories. Not most sysadmins or normal people, thats for sure.

The practical solution that a lot of 'in the know' people do is let a sheet of paper ( you know, that thing made from dead trees) do the job or a software package designed for it, then just worry about remembering how to access that and keep it secure.

The third, and of course the most common thing people do is to use their birth year appended to their user name or real name, for every site they visit. These people don't count cause nothing will get them to care until they've had something serious happen due to being lazy and not caring. You know what though? Not a lot of people care about what they have either, so its not as important to them. Just gotta watch out for 'ID Theft' whatever that is ...

What's more (1)

Sycraft-fu (314770) | more than 3 years ago | (#34197832)

It encourages password reuse. If you have to learn a new password all the time, well then makes sense to keep it to just one password. Every month you learn a new password and change it on all your sites. That's really secure! ... Not. That situation means if someone gets your password, they are in to EVERYTHING.

Personally I'm with Schnier that password changes aren't useful on their own and I take it further: You shouldn't change your password unless there's a reason for high security systems because your password should be hard. It should be something reasonably lengthy and reasonably difficult that is used ONLY for that system/service. Random characters is good, a book quote with modified letters is good, etc. Something that takes you a bit to get memorized. Reason is not only is it hard to crack, but it is hard for people to pick up if you type in. They can't just look over your shoulder and get the password, they'll be unable to remember it.

That makes it unlikely you'll be cracked, and that in the event something else is compromised, means that the damage doesn't spread. THAT is secure, that is what you want. Problem is those kinds of passwords can't be changed all the time because they are hard to remember. Make people change them every month and they'll not only start writing them down, but reusing them among systems.

I want to ask all the "security" people that think short password change policies are a great idea "Do you change the locks on your house every couple months? Then why should passwords be changed so often?"

Continual password changes are security theater, not security, and actually tend to make things worse.

How often? (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#34197004)

How often should you change your passwords? I think you nerds already have that covered.
A more pertinent question: how often should you change your underwear? With or without febreeze?

he's at it again (2, Insightful)

mestar (121800) | more than 3 years ago | (#34197008)

Another suggestion from the expert where millions of people will waste time, yet, nothing security wise will be improved.

Re:he's at it again (1)

Anne_Nonymous (313852) | more than 3 years ago | (#34197976)

At least he's not fondling your balls.

Let's look at recommended password rules (4, Interesting)

Drakkenmensch (1255800) | more than 3 years ago | (#34197110)

Never use the same password in two places

Always use randomly generated password

Never same them to browser cookies

Never write them down so they can't be stolen

Is it just me or are security experts willingly trying to get us to just forget the twenty to thirty passwords we need to use on a weekly basis?

"Security experts" know nothing about usability (5, Insightful)

Tridus (79566) | more than 3 years ago | (#34197264)

We've been going through this at work. The "security experts" came up with all kinds of assanine rules. Stuff like "don't show the length of the password as a user types", "don't reuse the same password on different systems", "don't write them down", "change them every 3 weeks", etc.

The problem is that none of these people have a bloody clue how ordinary users deal with this stuff. If you listen to security experts, you get bullshit that destroys usability and forces users to get ever more creative in bypassing the rules.

IMO no "security expert" should be allowed to come up with rules without a usability expert sitting behind them holding a taser.

Re:"Security experts" know nothing about usability (1)

jeffmeden (135043) | more than 3 years ago | (#34197374)

Tasers will automatically self-sacrifice their capacitors if brought too close to Bruce Schneier. He once was approached by a man with a Taser; he ripped the man's arm off to tase him with it and the taser never forgot. Tasers never forget.

Re:"Security experts" know nothing about usability (0)

Anonymous Coward | more than 3 years ago | (#34197448)

seriously, security is inconvenient. That's how it works. If it's inconvenient for you, just imagine how inconvenient it is for the crook. idiot.

Re:Let's look at recommended password rules (1)

zippthorne (748122) | more than 3 years ago | (#34197318)

Browser *cookies*???

Who's saving passwords to browser *cookies*? When your browser prompts you to save your password, it's putting it in an encrypted database file, sometimes using the OS's own key-storage service.

I only wish that I could hack my browser to ignore sites' settings on password storage so that I could keep all of them in the keychain behind a single, master password that I actually have hope of remembering without post-its.

Re:Let's look at recommended password rules (1)

bmo (77928) | more than 3 years ago | (#34197378)

You didn't read the fine article to the end.

Never use the same password in two places

No, he doesn't say that. He even goes on to say to not think too hard about passwords for websites that you don't care about. It all depends on the situation.

Always use randomly generated password

He doesn't say that either. He said pick a "good password" which is defined as something not easily guessable. Password policies that are overly restrictive create situations where people create easily guessable passwords (requires numbers? sing a Feist song while you type 1,2,3,4) and password recycling. Bruce has written about this before.

Never same them to browser cookies

ITYM "save" instead of "same"

He didn't say that either.

Never write them down so they can't be stolen

Bruce said to write them down or use PasswordSafe or something similar.

Bruce isn't crazy and a lot of his article was common sense. Don't you feel silly now?

--
BMO

Re:Let's look at recommended password rules (1)

somersault (912633) | more than 3 years ago | (#34197440)

"Never write them down" isn't really a problem as long as you keep them somewhere safe, like your wallet. If you wrote down all your credit card details, someone could use it online just as effectively as if they had your actually credit card (though some places also use a "SecureCode" or whatever, in which case not storing your securecode in your wallet would be a nice idea).

Personally I make my passwords relatively strong, though I do often re-use them and don't like to change very often. I do have some passwords that aren't too strong for accounts that I don't care about that much though. It wouldn't be that big a deal if my Slashdot account were hacked for example, since it's essentially anonymous anyway.

Just like a toothbrush (3, Funny)

mrnick (108356) | more than 3 years ago | (#34197132)

"Use it regularly, change it frequently, and don't share it with anyone!"

20 toothbrushes? (1)

ZmeiGorynych (1229722) | more than 3 years ago | (#34197380)

Which of the couple dozen passwords I have for various places do you suggest I change frequently? All of them? I've never had my accounts cracked yet, and for any of them except banking (who use more than just a password) I don't care if they do. On the other hand, I've lost count of the times that I had to waste half an hour because I had forgotten the new password because some moronic policy forced me to change it.

Or underwear (0)

Anonymous Coward | more than 3 years ago | (#34197596)

Just sayin'

Re:Just like a toothbrush (1)

Art3x (973401) | more than 3 years ago | (#34197728)

"Use it regularly, change it frequently, and don't share it with anyone!"

But what if you have to keep track of twelve toothbrushes?

Does it matter? (0)

Anonymous Coward | more than 3 years ago | (#34197138)

All the passwords do is serve as a minor stumbling block.

If people are brute-forcing your password, then you have other problems. If your password is exposed somehow, then you have other problems.

It's like having your house broken into. If they have a crowbar, then they're going to get in if there's nothing to stop them. If they get a wax mold of your key, or that spare key you leave under the doormat, they're going to get in.

How do you stop them? Security inside, perhaps? Neighbors who keep an eye out for you? Police who patrol the neighborhood?

The Door is just a way to deter the lazy and disinterested.

Same with passwords.

same difference (0)

Anonymous Coward | more than 3 years ago | (#34197140)

an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else

=

to limit the amount of time an attacker has to crack the password

Wisdom (0)

Anonymous Coward | more than 3 years ago | (#34197142)

One of my old sysadmin books used to suggest resetting a password every time someone with access to the account leaves the job, after a major upgrade, whenever a security breach may have occurred or any day when you're not too drunk/hungover to forget the new password.

Re:Wisdom (1)

zippthorne (748122) | more than 3 years ago | (#34197422)

There shouldn't be common passwords to anything anyway. Everyone should have their *own* credentials for access to stuff, so you don't have to inconvenience all the users when just one leaves the job, and so you can implement an access log to help with figuring out who caused problems after the fact.

It's already too often! (0)

Anonymous Coward | more than 3 years ago | (#34197158)

It most likely too often! Seriously, I don't understand IT policies with changing your password every 30, 60, etc. days. All it does is force me to come up with very simplistic passwords. I think it's better to come up with a strong password and keep it than to continually change it. As it is, I have at least 20 or more active passwords; to create 20 different passwords every n days is crazy. I don't like using the same password with different systems as the password can be exposed to the system owner which can be used to gain access to another system. Needless to say, my work passwords are the worst ever... Will someone in IT get a clue. We should be using public/private keys instead of passwords!

Those key fob things should be universal (3, Insightful)

thomasdz (178114) | more than 3 years ago | (#34197208)

Passwords are so 1990. I realize that it requires a little extra work, but those RSA-type key fobs that have the little LCD that displays a new "passcode" every minute should be universal by now... I love those things.
Banks should issue them to everyone, employers should issue them to everyone...
C'mon this technology has been in active use for at least 15 years now...it should be cheap and everyone should use it.

Re:Those key fob things should be universal (4, Insightful)

swilver (617741) | more than 3 years ago | (#34197328)

Yeah... I'd like to have 20 of those lying around instead of having 20 passwords...

Re:Those key fob things should be universal (1)

somersault (912633) | more than 3 years ago | (#34197532)

Are you going to have a different one for every website you visit? It's not just your bank that you have to worry about. Paypal, Amazon and many other places store card details for example.. plus you could even do a lot of damage to someone with just their Facebook or email accounts.

Never understood the logic (2, Insightful)

Bertie (87778) | more than 3 years ago | (#34197254)

Make people pick a strong password and then let them keep it. I mean, if it never exists outside somebody's head, it can't get lost or stolen. Forcing regular changes makes them likely to forget, or run out of ideas and choose weaker passwords. For example, I know someone who copes with the requirement to change regularly by cycling through the names and numbers of the players of his football team. This is fairly easily guessed at, and he wouldn't have to do it if he didn't have to keep changing his password.

Obviously I've no numbers to back it up, but I'd imagine security is breached far more often by finding passwords scribbled on Post-Its than by brute-forcing. I mean, that's really hard to do, and the rewards have to be well worth the effort, which they seldom are. So eliminate the need to write them down which so many people obviously feel.

Nobody knows my passwords but me. I've never written them down. I've never suffered any security compromises.

Re:Never understood the logic (1)

Combatso (1793216) | more than 3 years ago | (#34197570)

I agree... ive worked in IT a long time, and its always the persons fault for letting their passwords out... sometimes its a post-it, but usually people are just willing to give it out... especially to any IT staff, just walk up and ask "whats your password?"... they just assume its for a good reason and hand it over... after countless meetings, memos and shit-cannings... People will cover the debit machine at the grocery store as if they are gaurding the nuclear launch codes, but their wall-safe at the hotel they are staying at, the load with all their money, passports and jewelry, then proceed to make the code 1234....

I can't think of a way to change it either..

Re:Never understood the logic (1)

somersault (912633) | more than 3 years ago | (#34197636)

Well there's also the scenario of using your password somewhere, and the server being breached, or even of that service being run by some malicious party.

I had a friend forward me an emails with something like "type in your MSN details here to find out who has blocked you". I advised her to change her password immediately, because she no doubt just put her username and password in there without thinking. If she also used that email address and password combo in other places then they could get access to those too though. I didn't consider that at the time.

Maybe that site was a scam, maybe it wasn't, but there's a lot of opportunity for sites like eBuddy or similar to collect people's login details.

There's even an XKCD about this, so even those who were too dumb to think of it before will probably be trying it by now.

I still follow the "strong password that I don't change very often" philosophy myself, but I know I probably should change it more often, and I'm careful which sites I use my currently preferred strongest password with.

Slow day in the security industry (1)

bouldin (828821) | more than 3 years ago | (#34197256)

If this is news, then things are really slowing down in the security industry.

The answer (3, Insightful)

pehrs (690959) | more than 3 years ago | (#34197306)

Frankly, the answer is almost always "Never"

The human brain is not good at memorizing strings. I deal with well over 100 passwords a normal week. Assuming, generously, a 6 month timeout it would mean memorizing new passwords every few days. I have better things to do with my life. Much better things. As does the vast majority of users, which is why any company with short password timeout find that the passwords are either on post-it notes under the keyboards or a variation of "anna-December01".

If your system demands high security a passwords are not suitable anyway. You should be going for multi-factor authentication, not make the passwords longer or time out more often.

But, you might say, shouldn't changing passwords limit my exposure in an networked environment?

Well, there are a few alternatives. If you store your passwords in an insecure manner (postit under the keyboard, your secretary etc...) then you have allready lost. Anybody can grab your password when they need it. If you keep them secure (memorized), but worry about some server being hacked there are two allternatives: Either you have the same password everywhere, and then updating the password won't change anything, as the attacker will have your password the moment you update it. Or you have different passwords, and then it server where you updated it will still be compromized, but the rest still secure.

If you send your passwords in clear text over the network and worry about sniffing you don't care about the security.

In the end, passwords are simple security mechanisms for discuraging causual abuse of systems. Make sure they do not fall to a trivial brute-force attack and move on. If you need real security you will have to look beyond passwords anyway.

Ever heard of Keepass? (1)

windcask (1795642) | more than 3 years ago | (#34197312)

If you use Keepass or some other sort of ultra-encrypted password safe, you only need to remember one. Besides, you'd be surprised how well your fingers remember $A45j00)&er]{ after a while, even if your brain doesn't. That may be a signal it's time to change your password, however...

When ever you need it (1)

Murdoch5 (1563847) | more than 3 years ago | (#34197450)

How about just changing the password when you have a reason to.

Expiration? pfft (1)

bhcompy (1877290) | more than 3 years ago | (#34197556)

My RSA token generates a new unique password every 60 seconds.

Re:Expiration? pfft (1)

blair1q (305137) | more than 3 years ago | (#34197946)

Meaning anyone with your RSA token has access to everything, and you won't know it until you get to work in the morning and the one they swapped it for looks suspiciously new.

Last I checked, memories were harder to slip off a keychain.

Re:Expiration? pfft (1)

bhcompy (1877290) | more than 3 years ago | (#34197996)

What's my username? And who doesn't keep their token on them at all times? Leaving your token unsecured at your desk is the same as leaving your l/p written on a piece of paper and posting it on the bulletin board. The point of the enhanced security of the token is to keep it on you at all times, and in all of the implementations I've seen it's not the only security measure. One login and rotating password for access then RSA login and password for authentication

Strength-based passwd aging (1)

otis wildflower (4889) | more than 3 years ago | (#34197562)

Passwords should have lifetimes dictated by their strength.. Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.

Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries. I have 3-5 of these consigned to muscle memory, and rotate thru them whenever I'm forced to change my passwd, it's annoying as FUCK.

Re:Strength-based passwd aging (4, Interesting)

muckracer (1204794) | more than 3 years ago | (#34197754)

> Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.

I like it. Might not be that easy to test for though.

> Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries.

Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers. Rather make it longer but a lot easier to type:

16 random characters from entire ASCII set (95) = 105 bits (you'd need 21 to reach 128-bit security)
16 random characters from lower-case letters (26) = 75 bits (you'd need 28 to reach 128-bit security)

Not that much of a difference. Even 75 bits would suffice for most applications.

More characters to type overall, but probably the best trade-off for entry speed, recall ability and security is the Diceware approach. 10 random words = 128+ bit.

Use KeePass anyway for the multitudes of Logins or even a simple:
vim -x my_passwords.txt
( :set cryptmethod=blowfish )

Passwords will be old hat (1)

SpaghettiPattern (609814) | more than 3 years ago | (#34197586)

Passwords as currently known will hopefully become old hat soon. I long for the time when I can own a private key in hardware, where drivers on all platforms are cheap commodity and where all programs and systems will be able to offer e decent authentication interface.

A password can be stolen more easily than the combination password + private key.

bruteforce (1)

tris203 (1768578) | more than 3 years ago | (#34197694)

if you are confident your password will not be on a wordlist, and you know the encryption technique. every "less than the time take to bruteforce the password should the has be obtained", however frequently that is. If your password is "aaaa" youll be changing it every 10 seconds

Answer: Never! (1, Funny)

UnknowingFool (672806) | more than 3 years ago | (#34197708)

Seriously I've used "1234" on all my email accounts and my root admin account for years and never had the problem.
Hold a sec. My router is going a little crazyF8($&#Rin85M3$%
s fpjl ;?>I ALW7H;
[CARRIER LOST]

And they are the specialists... (1)

hrimhari (1241292) | more than 3 years ago | (#34197722)

This again. Just like that lady from Microsoft which challenged the 7 password rules. [slashdot.org]

I am not a security specialist. Yet I seem to know something they don't: that "frequently" changing the password is meant to avoid brute-force over the password hash being profitable, not to avoid a person who already knows the password to use it.

Example: excluding the dictionary-based, < 8 length, all lower case letters, etc which are broken easily, let's suppose it takes 2 months to break a good password's hash by brute-force.

If your system obliges you to change your password every 2 months - 1 day, when the attacker finally breaks the old password it's no longer valid. The bonus would be to catch the attacker when he tried to use it.

That's the theory. If it works or is worth the trouble, I don't know. But I'd love to see that being discussed by the so-called specialists instead of unrelated use-cases.

Re:And they are the specialists... (1)

muckracer (1204794) | more than 3 years ago | (#34197926)

> Example: excluding the dictionary-based, If your system obliges you to change your password every 2 months - 1 day, when the attacker finally breaks the old password it's no longer valid.

Except there's a fundamental error in that argument:

The attacker doesn't have to search the entire key space to finally hit the password. Only half of it on average. In fact, he can get lucky and hit it in a couple hours! So you have no idea and that 2 months policy is worthless!

And that's not even getting into the question of how to determine the time it takes to crack a password, even if 100% key space search in brute-force mode were necessary. What's the possible tries per second reference? Your laptop? The corporate network clustered? distributed.net? The NSA?

Only way to be sure...given today's knowledge and computing power...is to pick (for high-sec apps) a password of at least 128-bit strength, since it's currently agreed upon as being completely outside the realm of possibility for anyone to crack. YMMV :-)

If you are at all worried... (2, Interesting)

gmurray (927668) | more than 3 years ago | (#34197794)

If you are at all worried about changing your password, then a password is not enough. Changing doesn't help, as soon as your password is compromised it needs to be changed. Multiple factors is a much better solution than changing passwords, which only provides a false sense of security at best.

Related question (1)

HTH NE1 (675604) | more than 3 years ago | (#34197798)

Related questions: how often should you change your username? real name? identity? SSN? fingerprints? retina pattern? DNA?

As often as you need to. (1)

blair1q (305137) | more than 3 years ago | (#34197902)

A = average number of people targeting you via password attacks at any time.
B = average time it takes for your password to be hacked by one person.

T_expire B/A

So you can improve security by

1. Heeding T_expire
2. Increasing B by using trickier passwords
3. Reducing A by nuking China

Every Password should be different (0)

Anonymous Coward | more than 3 years ago | (#34197936)

Every password that you use that can be different, SHOULD BE DIFFERENT. This is a risk mitigation method.
Many professionals use a password manager like LastPass or KeePass or KeePassX and honestly only know the 30+ character passphrase to open that DB.

I have hundreds of accounts and each has a different password. I use 30+ character randomly created passwords for each and have only 2 out of all these memorized - the main domain login to my main desktop AND the passphrase into KeePassX. All the other passwords ... I have no idea what they are and don't care. That's what a password manager is for.

I worked in a government lab and had to physically stand in front of the network administrator once a year to retain network access. If I didn't show up, I was cutoff. Remote users actually had to fly into our location to proved they still deserved access.

How often should a password be changed? Anytime there is a risk that it has been compromised. A stronger and longer password can help reduce the risk. At my company, we force password changes every 56 days - why 56 days? 56 is divisible by 7, so Tuesday is the day that I change my passwords. That gives me 3 days to learn it before a weekend.

Each organization will need to determine how often that could happen. For some organizations, it could be weekly, for others, yearly.

Force password change often leads to less security (1)

GodWasAnAlien (206300) | more than 3 years ago | (#34198006)

In theory, forced password changes leads to more security, as it narrows a window of compromise.

In practice, a force password change often leads to less security. The basic problem is that it's hard to memorize passwords.

If forced passwords are too frequent, people will change 'mypassword' to 'mypassword2', then 'mypassword3'.
Or change to a new more secure string unrelated to the previous one. Perhaps 'Xoolu3j3e'. However, in the case of too frequent changes here, its hard to keep track of the passwords, so perhaps they get written on a sticky, or saved in the browser. Possibly a keychain on your computer helps, though then what do you do with a lost pc? write them down? assume that you can reset by some email verification ?

I wonder how often forced password changes really leads to better security.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?