Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security IT

How Often Should You Change Your Password? 233

Posted by CmdrTaco from the every-eight-seconds dept.
jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."
This discussion has been archived. No new comments can be posted.

How Often Should You Change Your Password? More

How Often Should You Change Your Password?

Comments Filter:

  • What's the point? (Score:1, Informative)

    by fieldstone ( 985598 ) on Thursday November 11, 2010 @11:56AM (#34196938)
    If someone steals your password, as I learned when my gmail account was hacked, the first thing they're going to do if they know anything is change both your password and your security questions. The only way changing your password will help is if the person who's stolen it is too dumb to do this, and that seems unlikely.

  • Re:Case to case (Score:2, Informative)

    by Anonymous Coward on Thursday November 11, 2010 @12:17PM (#34197214)

    Bruce makes that same point in the full article, it just wasn't mentioned in the summary. ...yeah yeah, nobody RTFAs :(

  • Re:What's the point? (Score:4, Informative)

    by clang_jangle ( 975789 ) on Thursday November 11, 2010 @12:21PM (#34197288) Journal

    Maybe I'm missing something here, but what's the problem with allowing the browser to remember logins for you if you don't ever allow anyone else to use your computer?

    The browser can be hacked; most of them have been at one time or another. Any data stored in the browser can potentially be retrieved by a third party. Personally, I consider memorizing a few passwords and their variants to be effort well-invested,

    I'm reasonably sure the way my account was hacked was when I stupidly logged into it on someone else's computer.

    That's one way it can happen.

  • Re:What's the point? (Score:4, Informative)

    by rvw ( 755107 ) on Thursday November 11, 2010 @12:57PM (#34197726)

    If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

    That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.

    This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.

    Gmail displays this information in the footer of the page. However, you must be aware of this, and you have to know what it means, what your IP-address is, etc. I know this info exists, but I almost never look at it to be honest.

  • Re:Those key fob things should be universal (Score:1, Informative)

    by Anonymous Coward on Thursday November 11, 2010 @01:49PM (#34198386)

    Passwords are so 1990. I realize that it requires a little extra work, but those RSA-type key fobs that have the little LCD that displays a new "passcode" every minute should be universal by now... I love those things.

    They're not cheap to license, especially from RSA. A good alternative may be Yubikeys.

    Banks should issue them to everyone, employers should issue them to everyone...

    Many have. The criminals have found ways to get around them:

    http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
    http://www.schneier.com/essay-083.html

    They certainly help, but they're no panacea. You also have to introduce mechanisms for when (!) people lose them: if your design depends on their presence, how do people get in without them? A lot more complicated than simply people having calling in, answering a bunch of questions, and having it reset (and it being mailed to them perhaps).

  • Re:What's the point? (Score:4, Informative)

    by moderatorrater ( 1095745 ) on Thursday November 11, 2010 @02:19PM (#34198726)
    But TFA did - he mentions how after breaking up with someone you shared a computer with you should change all of your passwords. Almost like Bruce Schneier has had experience with that...

  • Re:To Change or Not To Change (Score:2, Informative)

    by SnarfQuest ( 469614 ) on Thursday November 11, 2010 @03:49PM (#34199856)

    a very common attack is where the attacker gets hold of the hashed passwords one way or another.

    A system shouldn't make this easily avaiolable. The password file really should be hard to get. Besides giving you the hashed passwords, it also gives you a list of valid user names. Having to guess both the user names and the passwords makes breaking into a system much harder.

Slashdot Top Deals

Thus spake the master programmer: "After three days without programming, life becomes meaningless." -- Geoffrey James, "The Tao of Programming"

Close