Forgot your password?
typodupeerror
Security IT

How Often Should You Change Your Password? 233

Posted by CmdrTaco
from the every-eight-seconds dept.
jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."
This discussion has been archived. No new comments can be posted.

How Often Should You Change Your Password?

Comments Filter:
  • by WrongSizeGlass (838941) on Thursday November 11, 2010 @11:55AM (#34196924)
    You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.
    • by Rob the Bold (788862) on Thursday November 11, 2010 @12:08PM (#34197100)

      You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

      A brute force attack shouldn't be that much of a concern with a login password, assuming that the system limits how often and how many times the brute force attack can retry. And presumably, the system would notify the account holder or administrator (or both) as to the unusual number of failed attempts.

      Now if you're trying to brute force an intercepted message, that would be different. You'd have as many attempts as you could afford to crack it and all the time in the world to do it. At least until the data contained in the message was no longer useful to know.

      I suppose that a password that was "strong" in the sense of "hard to memorize quickly" would be helpful against the "over the shoulder" attack.

      • by HungryHobo (1314109) on Thursday November 11, 2010 @12:27PM (#34197342)

        "strong" is all about cracking hashed passwords.

        a very common attack is where the attacker gets hold of the hashed passwords one way or another.

        even a single *wierd* character can defeat that, learn a code for some unusual unicode character and include it and then you don't have to worry too much about that attack because the search space is massive.

        any 8 character all lowercase can be cracked overnight.
        8 character lowercase + numbers can be cracked in a reasonable time assuming people only use it weakly like only putting 1 number in at the end.

        Example: passwor9

        same thing with having an uppercase character but only as the first character in the password.

        Example: Passwor9

        using dictionary words in any language makes it trivial and reasonable assuming your only uppercase is at the start and only lowercase is at the end.

        Example: Trustno1

        these substitutions in the middle of a password also only add a small bit of strength, they're not worth much.
        7 for T
        0 for O
        5 for S

        Example: Tru57no1

        Strength is all about how hard it is to crack when given a hash of it.

        • by windcask (1795642)

          any 8 character all lowercase can be cracked overnight.

          What are you using, a 386? Anybody using a GPU-enabled instance of hashcat can break that in seconds.

          • by Sigma 7 (266129)

            If your hash algorithm can be cracked within seconds, then it's too weak. Either increase the number of rounds (alternating with the username and password on each round), or change to a slower algorithm.

            If you get the hash calculation time to 1 millisecond and place it against a computer that has 10000 cpu-core equivalent, then it takes 6 hours to guarantee a crack, or 61 days if the user included capital letters.

        • by Lumpy (12016) on Thursday November 11, 2010 @12:56PM (#34197716) Homepage

          Fail.

          Most rainbow tables already have those commonwords written like that. just because you discovered L33t speek, does not mean the cracking tables are already set up to crack those.

          Better soluton is 2 words with special characters.

          Fred-Stinks87
          2Fun4You!
          This-IS_My&Password

          work far better and cant be added to rainbow tables easily.

          Paswords are stupid and easy to crack with tricks because nobody uses AFSDWER$fq34agfre as a password. PASS PHRASES are far stronger and super easy to remember. Use at least 2 words with special characters and you are already 800X better off that everyone else.

          • by .sig (180877) on Thursday November 11, 2010 @01:08PM (#34197880)

            nobody uses AFSDWER$fq34agfre as a password

            Great, now I've got to go change all my passwords...

          • Re: (Score:3, Interesting)

            by nabsltd (1313397)

            Paswords are stupid and easy to crack with tricks because nobody uses AFSDWER$fq34agfre as a password. PASS PHRASES are far stronger and super easy to remember. Use at least 2 words with special characters and you are already 800X better off that everyone else.

            Great advice...can you please force banks, etc., to allow such passwords?

            Example 1: I recently signed up to be able to pay my car payment online, and the requirements were that both the username and password be at least 8 characters long but no longer than 12 characters, have at least one letter and one number, with no non-alphanumeric allowed. Although you could use mixed case, it was not a requirement.

            Example 2: A set of integrated systems at a client use Active Directory as a single sign-on to authentic

        • by poetmatt (793785) on Thursday November 11, 2010 @01:04PM (#34197824) Journal

          you're correct that a lot of measures such as substituting letters for numbers don't do much.

          if you want to make it more difficult, add length to a password along with the password. Gizmodo or some gawker site talked about this once and it's a great password concept.

          Example password for everything : Anon4321

          add to it the website you're on, so sdAnon4321 or slashdotAnon4321. or twitter becomes tAnon4321

          etc. you can choose what your variable is for each website, so to speak, and it's still a simple concept for people since they keep remembering the same password.

          That way you can apply that same concept if you rotate your passwords too and it would modify them all but keep the consistency.

    • Re: (Score:3, Insightful)

      by leuk_he (194174)

      Make the requirement to complicated and users will work arround it.
      1 -Put it on a yellow memo under the keyboard (YES YOU!!!)
      2 -Take a complicated password.... and add a increment before or after it everytime you have to change. (if you have a automated policy against this, see 1. )

      PS.. greetings from mordoc the information preventer in 1998 [dilbert.com]

      • I give my clients a simple process to create 'strong' passwords out of normal words or phrases (preferably 10+ chars) that makes them easy to remember. It's not foolproof but it does give them a much better chance against the "123456" password mentality.
        • I give my clients a simple process to create 'strong' passwords out of normal words or phrases (preferably 10+ chars) that makes them easy to remember.

          Yeah, and if your clients only have one password to ever remember, and didn't have to change it, that would solve the problem. I have fifty passwords, many of which have to be changed every three months. Do you give your clients a "simple process" to create two hundred passwords per year, and remember which one goes with which system?

          By the way, the single most important thing you should do to make sure your clients are secure is to make sure that they don't use the same password to access different syste

      • 2 -Take a complicated password.... and add a increment before or after it everytime you have to change. (if you have a automated policy against this, see 1. )

        My bank makes me change passwords every 6 months, as has the "complicated" requirement. Any password that passes the "complicated" test is almost certainly difficult to remember. After quite a few tries, I finally came up with something that I could remember -- and my wife too -- and that the system would accept. Whew.

        Fast forward six months I find out about the "must change" rule. I managed to get myself locked out during the process trying to find another suitable password and had to call tech support.

        • by Lumpy (12016)

          Most of those systems have an epic fail in them.

          Forced password change has to be complex and meet rules.
          Manual pasword change has less rules.

          I usually do their dance, log in and change my password back to my 40 char password that I have used for 4 years. Works like a charm.

          How about your bank stop being cheap about your security and allow you to use a verisign dongle?

      • by SQLGuru (980662)

        Most automated policies fail if the sequence is located in the middle of your password.

        pass1word
        pass2word
        pass3word
        etc.

        It's because they just check the hash and the middle digits affect the hash in an "unexpected" manner.

      • by knarfling (735361)

        Make the requirement too complicated and users will work arround it.

        PS.. greetings from mordoc the information preventer in 1998 [dilbert.com]

        Not if you make it complicated enough. Force them to use a different doodle or a different squirrel noise each time that can't be written down, and you get rid of the yellow sticky note issue. And in 1998 they had no real comprehension of how to prevent access to useful systems. Take a look at an updated Dilbert [dilbert.com] from 2005 for how to really prevent stolen passwords as well as how to prevent access.

    • You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

      I'll grant you the over-the-shoulder issue, though except for extremely dedicated watchers that is easily defeated by trivial modification. The canonical "password" falls to the shoulder surfer, but "pasSword" or "pasword" or "password." or even "psword" are going to be missed. (A keylogger gets them all, of course, but that's also going to get genuinely 'strong' passwords.) Meanwhile, brute-force attacks are of concern for encrypted documents and the like (where you can take an unlimited number of atte

      • like account logins

        assume an attacker will get the list of hashed passwords because it's a very common way of getting into accounts.

        • On most *NIX systems, the hashes are stored in a shadow password file, which only root can view. If the attacker is already in the system with root access, there are much easier ways of getting access to your account than decrypting your password.
    • by pilgrim23 (716938)
      ISP: "Your password should be at least 8 characters and include at least one special character and one number" Online Service: "Your password should be 6 to 8 characters and include at least 1 number, no special characters. Next Online service: "Your password Must begin with a number and be at least 16 characters" and so on. Consistency may be the hobgoblin of small minds but it WOULD be nice once and a while...
  • by chemicaldave (1776600) on Thursday November 11, 2010 @11:56AM (#34196936)
    It depends on the user's preference, how secure the application is, and most importantly how secure the password is. A sufficiently strong password will have a minimum to how often it should be changed to protect from passwords being leaked (although this shouldn't be much of a problem either if passwords werent stored in plaintext or easy to decrypt ciphers).
    • by Bert64 (520050)

      The problem is that the user often has no idea how a given application will be storing their password...
      It's not uncommon for webapps to store passwords in plain text for instance...
      Quite often you get weak hashing, for instance a single round of MD5 with no salt, or passwords stored using reversible algorithms...

      Then you have the windows hashing scheme, where you can authenticate using the hash without needing to crack it at all.

      With online apps, sometimes you can tell they're storing the passwords in plai

  • by Chrisq (894406) on Thursday November 11, 2010 @11:56AM (#34196940)
    All sounds pretty reasonable and pretty obvious. I wish someone would tell our security department. They force fourtnightly changes, with ten days warning of expitation. That means you either change more than once a week or have the expiration password pop up!
    • by hedwards (940851) on Thursday November 11, 2010 @12:01PM (#34197006)
      One of the very real problems out there is that it's more or less impossible to have strong passwords that are changed on a regular basis for everything. I've personally got nearly 500 log ins that I use from time to time and even just changing them once every few months takes a really long time.
    • Mines similar; they require monthly changes with 10 days expiration warning. But here's the rub: we have something like 25 internal systems which are not SSO-enabled, so for that 10 days, I might get the warning a dozen or more times. Nice, huh?
    • by TheCarp (96830) <sjc&carpanet,net> on Thursday November 11, 2010 @02:10PM (#34198620) Homepage

      That is usually what I notice about Schneier. He doesn't really say much that is revolutionary. He pretty much just gives a level headed, common sense, appraisal of the situation. The thing is, what he does sounds absolutely revolutionary against the backdrop of all the people who are fear mongers or design their systems around articles and papers without taking into account their own situation.

      The problem with security is, it always lends itself to imagination. We could sit down, all day, with nearly any complex situation, and dream up attack vectors, scenarios, etc. Since we can imagine all these things, it seems reasonable to devise protection against them. What is less obvious is, that guessing which vector someone will use, and then securing against it, is a never ending game with never ending costs. It isn't useful to spend top dollar to get locks that are hard to pick when an attacker is just going to smash in your window.

      Of course, then you can bar the windows... install heavy duty doors, special locks, cameras, point to point wireless links to move security video off site.... but... if it worth it if all that security equipment costs as much as all the valuables that you wish to protect? What if you live in a place where there hasn't even been a B&E in the past several years?

      Security is risk management. If you are not taking your situation, and especially which scenarios are the most likely, then you are not really managing risk. If your only purpose is to look like you are managing risk, then it is really better to call what you are doing "entertainment".

      -Steve

      • Re: (Score:3, Insightful)

        by houghi (78078)

        Security is risk management.

        Indeed it is. Remembering passwords will not protect you against your family held hostage and shot one by one if you give them the wrong or no access at all. Most likely this will not happen to get my email account.

        So there will always be some sort of level at which you say "This is not worth the trouble." and forced changing of passwords WILL make them less secure. All your company security is only as strong as the weakest link, so what you must achieve is not to make the strong

  • Case to case (Score:2, Insightful)

    by immakiku (777365)
    His argument is only valid for certain cases, where damage done can be spread out over the course of days or weeks. Sometimes the majority of damage/benefit derived can be derived within minutes or hours. Example: access to a victim's email account (to mine contact list or to spam or to impersonate) or access to a bank account, in which a sizable transfer can be done immediately.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Bruce makes that same point in the full article, it just wasn't mentioned in the summary. ...yeah yeah, nobody RTFAs :(

  • About 99% of the time it would take to brute force it.

    • What if the attacker is brute forcing it in a random order? That time could be under a second if he's very lucky.

  • by digitaldc (879047) * on Thursday November 11, 2010 @11:59AM (#34196982)
    ...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.
    • ...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.

      Not even. I've had users go through the trash in order to find the post-it note they had on their monitor that fell off when the cleaners went through the office.

      It's also crucial to change passwords (for websites) using the forgot password function whenever they "accidentally" delete their cache/forms/passwords in IE.

    • by Loosifur (954968)

      Hey! Get off my keyboard, you!

  • by NavyNasa (18525) on Thursday November 11, 2010 @11:59AM (#34196988)

    Are you hiding something?

  • by qoncept (599709) on Thursday November 11, 2010 @12:00PM (#34196990) Homepage

    If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless."

    Unless, you know, you log in and it prompts you to change the password. Now it's not only useful to the person who stole it, but useless to the person it actually belongs to.

    I personally don't think password changes should be required unless there is a specific reason. Someone hacked your account? Change your password.

    If you have passwords for a couple dozen systems (very easy) and each of them requires you to change your password every 3 months, you're going to start forgetting them. So you don't, you're going to start writing them down or storing them in some way. Or you're going to increment a number in your password, so it's still basically the same. Or you're going to use the same password for slashdot and faceboook.com (see that? it's a spoof site designed to steal passwords) and your bank account.

    • Re: (Score:2, Funny)

      by Rob the Bold (788862)

      If you have passwords for a couple dozen systems (very easy) and each of them requires you to change your password every 3 months, you're going to start forgetting them. So you don't, you're going to start writing them down or storing them in some way. Or you're going to increment a number in your password, so it's still basically the same. Or you're going to use the same password for slashdot and faceboook.com (see that? it's a spoof site designed to steal passwords) and your bank account.

      Thanks, man. I quickly logged in and changed my faceboook and bank passwords. You saved me a great deal of hassle and money!

    • Our software forces users to change their password every 90 days and it can't be the same as any of the last 4 passwords. This is do to PA-DSS compliance. Interestingly, one of the top 3 complaints we get: we force users to change their password every 90 days and it can't be the same as the last 4 used.

      • Re: (Score:3, Interesting)

        by Rich0 (548339)

        Fortunately crazymonkey1, crazymonkey2, crazymonkey3, and crazymonkey4 are all unique passwords.

        Oh no, I hacked an account with the password crazymonkey28, and the user changed it due to expiration. Gee, I wonder what the new one might be.

        These kinds of aging mechanisms are great for box-checkers, but I don't think they do much to promote real security.

    • It encourages password reuse. If you have to learn a new password all the time, well then makes sense to keep it to just one password. Every month you learn a new password and change it on all your sites. That's really secure! ... Not. That situation means if someone gets your password, they are in to EVERYTHING.

      Personally I'm with Schnier that password changes aren't useful on their own and I take it further: You shouldn't change your password unless there's a reason for high security systems because your

  • he's at it again (Score:3, Insightful)

    by mestar (121800) on Thursday November 11, 2010 @12:01PM (#34197008)

    Another suggestion from the expert where millions of people will waste time, yet, nothing security wise will be improved.

  • by Drakkenmensch (1255800) on Thursday November 11, 2010 @12:09PM (#34197110)

    Never use the same password in two places

    Always use randomly generated password

    Never same them to browser cookies

    Never write them down so they can't be stolen

    Is it just me or are security experts willingly trying to get us to just forget the twenty to thirty passwords we need to use on a weekly basis?

    • by Tridus (79566) on Thursday November 11, 2010 @12:19PM (#34197264) Homepage

      We've been going through this at work. The "security experts" came up with all kinds of assanine rules. Stuff like "don't show the length of the password as a user types", "don't reuse the same password on different systems", "don't write them down", "change them every 3 weeks", etc.

      The problem is that none of these people have a bloody clue how ordinary users deal with this stuff. If you listen to security experts, you get bullshit that destroys usability and forces users to get ever more creative in bypassing the rules.

      IMO no "security expert" should be allowed to come up with rules without a usability expert sitting behind them holding a taser.

      • by jeffmeden (135043)

        Tasers will automatically self-sacrifice their capacitors if brought too close to Bruce Schneier. He once was approached by a man with a Taser; he ripped the man's arm off to tase him with it and the taser never forgot. Tasers never forget.

      • by betterunixthanunix (980855) on Thursday November 11, 2010 @01:29PM (#34198150)
        Security experts will tell you that usability is a part of security. The harder it is to use a system, the more likely it is that people will make a mistake, and in the case of a security system that often means compromising security in some way.

        Passwords as a secure authentication method are a really bad idea. Humans are pretty terrible at coming up with random passwords, and only marginally better at remembering a randomly generated string. It is easy to accidentally enter the one system's password when logging into another system (and if you are logging into a system run by someone like Mark Zuckerberg, this could get you in a lot of trouble). Cryptographic logins are a hell of a lot better, all that would be needed is a good way for people to carry crypto keys around with them (which is not asking much given how many different storage devices people usually carry around -- cell phones, thumb drives, cards, etc. -- any one of which could be used to store a key). Web browsers are already capable of supporting cryptographic logins, it should not take a terrible effort to enable web browsers to use crypto keys stored on some portable device.

        Yes, I know, someone could steal your thumb drive and get all your credentials. Yet we rely on house keys to protect our homes, and someone could steal your house keys and enter your house (which would give them physical access to your computer). Users can use a passphrase to help protect their crypto keys from theft (this is somewhat better than just a password login since an attacker would need the keys before they could even attempt a brute force attack, and your passphrase would only need to thwart an adversary long enough for you to report the theft and revoke the stolen keys).
    • Browser *cookies*???

      Who's saving passwords to browser *cookies*? When your browser prompts you to save your password, it's putting it in an encrypted database file, sometimes using the OS's own key-storage service.

      I only wish that I could hack my browser to ignore sites' settings on password storage so that I could keep all of them in the keychain behind a single, master password that I actually have hope of remembering without post-its.

    • by bmo (77928)

      You didn't read the fine article to the end.

      Never use the same password in two places

      No, he doesn't say that. He even goes on to say to not think too hard about passwords for websites that you don't care about. It all depends on the situation.

      Always use randomly generated password

      He doesn't say that either. He said pick a "good password" which is defined as something not easily guessable. Password policies that are overly restrictive create situations where people create easily guessable passwords (requ

    • "Never write them down" isn't really a problem as long as you keep them somewhere safe, like your wallet. If you wrote down all your credit card details, someone could use it online just as effectively as if they had your actually credit card (though some places also use a "SecureCode" or whatever, in which case not storing your securecode in your wallet would be a nice idea).

      Personally I make my passwords relatively strong, though I do often re-use them and don't like to change very often. I do have some p

    • by vivek7006 (585218)

      Use firefox or chrome + pwdhash

  • by mrnick (108356) on Thursday November 11, 2010 @12:11PM (#34197132) Homepage

    "Use it regularly, change it frequently, and don't share it with anyone!"

    • by Art3x (973401)

      "Use it regularly, change it frequently, and don't share it with anyone!"

      But what if you have to keep track of twelve toothbrushes?

    • by vivek7006 (585218)

      Just like a condom "Use it regularly, change it frequently, and don't share it with anyone!"

  • by thomasdz (178114) on Thursday November 11, 2010 @12:16PM (#34197208)

    Passwords are so 1990. I realize that it requires a little extra work, but those RSA-type key fobs that have the little LCD that displays a new "passcode" every minute should be universal by now... I love those things.
    Banks should issue them to everyone, employers should issue them to everyone...
    C'mon this technology has been in active use for at least 15 years now...it should be cheap and everyone should use it.

  • by Bertie (87778) on Thursday November 11, 2010 @12:19PM (#34197254)

    Make people pick a strong password and then let them keep it. I mean, if it never exists outside somebody's head, it can't get lost or stolen. Forcing regular changes makes them likely to forget, or run out of ideas and choose weaker passwords. For example, I know someone who copes with the requirement to change regularly by cycling through the names and numbers of the players of his football team. This is fairly easily guessed at, and he wouldn't have to do it if he didn't have to keep changing his password.

    Obviously I've no numbers to back it up, but I'd imagine security is breached far more often by finding passwords scribbled on Post-Its than by brute-forcing. I mean, that's really hard to do, and the rewards have to be well worth the effort, which they seldom are. So eliminate the need to write them down which so many people obviously feel.

    Nobody knows my passwords but me. I've never written them down. I've never suffered any security compromises.

    • by Combatso (1793216)
      I agree... ive worked in IT a long time, and its always the persons fault for letting their passwords out... sometimes its a post-it, but usually people are just willing to give it out... especially to any IT staff, just walk up and ask "whats your password?"... they just assume its for a good reason and hand it over... after countless meetings, memos and shit-cannings... People will cover the debit machine at the grocery store as if they are gaurding the nuclear launch codes, but their wall-safe at the
    • Well there's also the scenario of using your password somewhere, and the server being breached, or even of that service being run by some malicious party.

      I had a friend forward me an emails with something like "type in your MSN details here to find out who has blocked you". I advised her to change her password immediately, because she no doubt just put her username and password in there without thinking. If she also used that email address and password combo in other places then they could get access to tho

    • if it never exists outside somebody's head

      Except that it does exist outside of their head: the password is communicated to the system that the person is logging in to. Case in point:

      http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3 [businessinsider.com]

      From the article:

      Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

  • The answer (Score:4, Insightful)

    by pehrs (690959) on Thursday November 11, 2010 @12:24PM (#34197306)

    Frankly, the answer is almost always "Never"

    The human brain is not good at memorizing strings. I deal with well over 100 passwords a normal week. Assuming, generously, a 6 month timeout it would mean memorizing new passwords every few days. I have better things to do with my life. Much better things. As does the vast majority of users, which is why any company with short password timeout find that the passwords are either on post-it notes under the keyboards or a variation of "anna-December01".

    If your system demands high security a passwords are not suitable anyway. You should be going for multi-factor authentication, not make the passwords longer or time out more often.

    But, you might say, shouldn't changing passwords limit my exposure in an networked environment?

    Well, there are a few alternatives. If you store your passwords in an insecure manner (postit under the keyboard, your secretary etc...) then you have allready lost. Anybody can grab your password when they need it. If you keep them secure (memorized), but worry about some server being hacked there are two allternatives: Either you have the same password everywhere, and then updating the password won't change anything, as the attacker will have your password the moment you update it. Or you have different passwords, and then it server where you updated it will still be compromized, but the rest still secure.

    If you send your passwords in clear text over the network and worry about sniffing you don't care about the security.

    In the end, passwords are simple security mechanisms for discuraging causual abuse of systems. Make sure they do not fall to a trivial brute-force attack and move on. If you need real security you will have to look beyond passwords anyway.

  • My RSA token generates a new unique password every 60 seconds.
    • by blair1q (305137)

      Meaning anyone with your RSA token has access to everything, and you won't know it until you get to work in the morning and the one they swapped it for looks suspiciously new.

      Last I checked, memories were harder to slip off a keychain.

      • by bhcompy (1877290)
        What's my username? And who doesn't keep their token on them at all times? Leaving your token unsecured at your desk is the same as leaving your l/p written on a piece of paper and posting it on the bulletin board. The point of the enhanced security of the token is to keep it on you at all times, and in all of the implementations I've seen it's not the only security measure. One login and rotating password for access then RSA login and password for authentication
        • by blair1q (305137)

          What's my username?

          Easier to crib than your password. Probably attached to all your emails.
          Certainly shows up in file listings.

          The point of the enhanced security of the token is to keep it on you at all times

          Same as a password, but the token, being seperable from you, is quite a bit easier to exploit.

          One login and rotating password for access then RSA login and password for authentication

          Well that's a different situation. You actually do have a password that you keep in your head. And I'm sure they put t

  • Passwords should have lifetimes dictated by their strength.. Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.

    Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries. I have 3-5 of these consigned to muscle memory, and rotate thru them whenever I'm forced to change my passwd, it's annoying as FUCK.

    • by muckracer (1204794) on Thursday November 11, 2010 @12:58PM (#34197754)

      > Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.

      I like it. Might not be that easy to test for though.

      > Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries.

      Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers. Rather make it longer but a lot easier to type:

      16 random characters from entire ASCII set (95) = 105 bits (you'd need 21 to reach 128-bit security)
      16 random characters from lower-case letters (26) = 75 bits (you'd need 28 to reach 128-bit security)

      Not that much of a difference. Even 75 bits would suffice for most applications.

      More characters to type overall, but probably the best trade-off for entry speed, recall ability and security is the Diceware approach. 10 random words = 128+ bit.

      Use KeePass anyway for the multitudes of Logins or even a simple:
      vim -x my_passwords.txt
      ( :set cryptmethod=blowfish )

      • by LainTouko (926420) on Thursday November 11, 2010 @03:06PM (#34199296)

        Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers.

        And additionally, if you've trained yourself to be really good at remembering, say, lists of words, or have a good scheme for generating such lists in a repeatable fashion from some secret, and some application rejects your "flab nail sandwich under fixing splats time" password because it doesn't have a number in it, the chances of you writing down whatever awkward password you now have to remember and sticking it on your monitor are considerably increased.

        Password systems should work with users to make it as easy as possible for them to create passwords which are hard to guess, but they find easy to recall. The only acceptable way to reject passwords as too weak is by running some entropy-assessment algorithm on them. That way the system can work just as well for string-of-words guy, and can-remember-things-like-e47%TeGGz1#~? man.

  • Passwords as currently known will hopefully become old hat soon. I long for the time when I can own a private key in hardware, where drivers on all platforms are cheap commodity and where all programs and systems will be able to offer e decent authentication interface.

    A password can be stolen more easily than the combination password + private key.
  • Seriously I've used "1234" on all my email accounts and my root admin account for years and never had the problem.
    Hold a sec. My router is going a little crazyF8($&#Rin85M3$%
    s fpjl ;?>I ALW7H;
    [CARRIER LOST]

  • This again. Just like that lady from Microsoft which challenged the 7 password rules. [slashdot.org]

    I am not a security specialist. Yet I seem to know something they don't: that "frequently" changing the password is meant to avoid brute-force over the password hash being profitable, not to avoid a person who already knows the password to use it.

    Example: excluding the dictionary-based, < 8 length, all lower case letters, etc which are broken easily, let's suppose it takes 2 months to break a good password's hash by brut

    • > Example: excluding the dictionary-based, If your system obliges you to change your password every 2 months - 1 day, when the attacker finally breaks the old password it's no longer valid.

      Except there's a fundamental error in that argument:

      The attacker doesn't have to search the entire key space to finally hit the password. Only half of it on average. In fact, he can get lucky and hit it in a couple hours! So you have no idea and that 2 months policy is worthless!

      And that's not even getting into the qu

  • If you are at all worried about changing your password, then a password is not enough. Changing doesn't help, as soon as your password is compromised it needs to be changed. Multiple factors is a much better solution than changing passwords, which only provides a false sense of security at best.
  • Related questions: how often should you change your username? real name? identity? SSN? fingerprints? retina pattern? DNA?

  • A = average number of people targeting you via password attacks at any time.
    B = average time it takes for your password to be hacked by one person.

    T_expire B/A

    So you can improve security by

    1. Heeding T_expire
    2. Increasing B by using trickier passwords
    3. Reducing A by nuking China

  • In theory, forced password changes leads to more security, as it narrows a window of compromise.

    In practice, a force password change often leads to less security. The basic problem is that it's hard to memorize passwords.

    If forced passwords are too frequent, people will change 'mypassword' to 'mypassword2', then 'mypassword3'.
    Or change to a new more secure string unrelated to the previous one. Perhaps 'Xoolu3j3e'. However, in the case of too frequent changes here, its hard to keep track of the passwords, s

  • "Of course my password is the same as my pet's name.
    My dog's name was Q47pY!3$H9x, but I change it every 90 days."

  • by blair1q (305137) on Thursday November 11, 2010 @01:25PM (#34198100) Journal

    I have in excess of 10 passwords just for work (and I'm not an admin, just an end-user, here).

    Every one of those pieces of software has different rules and timeouts. Some have aging enabled, some don't. Some prohibit reuse, some don't.

    I keep a spreadsheet with the rules for all of them (not the actual passwords; those I memorize), and change them en masse when the shortest-lived one nags me.

    So the question is moot. It's not reasonable to believe that in our lifetimes we'll get all of the makers of various pieces of software to change the way they control passwords. Many of these software packages have designs that are ingrained in contracts. Not that the details of the password system are called-out in a contract, but changing anything about the software is a matter of reopening requirements specifications that were locked-down according to a process that is defined and referenced in a Software Development Plan that is released and signed and referenced in a contract. Times the thousand instances of the software at the software vendors' various customer sites. And it's not possible to make a companywide decision to turn off password aging or protection on some of the software, as it's built-in turned-on by the vendor to protect their licenses.

    So the answer is, I need to change my passwords as often as the software insists. Not that I want to, or that it makes any sense, but that it's how it is, and I can change that no more than I can change the commute routes available to me.

  • jhigh writes

    ... Bruce's analysis seems on target.

    Whew. When I got the recommendation from the guy who wrote the book on security, I wasn't so sure. But since jhigh endorses it, I'll take it under advisement.

This is a good time to punt work.

Working...