wisdom of changing your password ?

[chronodekar]

Forgive me if this is silly, but it's been bothering me for a while - What is the benefit of changing your passwords often ?

From a hacker view point, he/she wouldn't know anything about your password and it is as good as a black box isn't it ? In that scenario, what is the security we get when we change our passwords ? (Granted, if someone sat for a month hacking away, then it would screw them up, but is this really a valid scenario ?)

Please note, I'm not trying to defend a bad practice here. And I know why "H@jr34" is more secure than "ILoveGermany". I just want to clarify for myself, why do so many security experts say its a good idea to change your passwords often ?

-chronodekar

 

[Dark Penguin]

People tend to give out their passwords. "Oh, yeah, that file is on my desktop. My password is ILoveGermany."

Of course I had a coworker who protested the new password every week policy by putting his on a post it note on his monitor. (I would just repeatedly change mine until I overwhelmed the history and then go pack to my first password.)

 

[Miramonti]

I tend to think changing passwords often is a wash, and while it may help with some security risks it can increase other security risks, such as it being intercepted in the process.

 

[chronodekar]

The "people tend to give out their passwords" is not really a, .. how shall I put it? ... reason enough to insist on changing a password often. What about for logins that I do NOT share with anyone? Like my bank details ? (I'm not married)

So far, I'm getting the feeling that is a misguided "security advice" that should become an urban myth...

-chronodekar

 

[tzdk]

Well logic is your password is never safe, is probably being stolen as we speak. You were not aware you are being hacked? So changing it must be a good thing right? Actually the more times you change the better. Try once per. day for maximum protection.

Using a password manager of some sort make sense though - make this need for change redundant.

Security experts does not always agree. You can still find some who freak out over cookies for example. That insist any GrandMa must run a better firewall than the one in Windows or she will get virus! Firewall has always been a buzzword. People like it! You must know the type? They live in a war zone, constant battle 24/7 They don't have to arrange a likely or human understandable scenario to regard whatever as a threat. It IS! If you know normal people you might agree this screaming and looking for risks under the carpet is almost anti-security. No one learns, no one get help because that way of computing is only for the chosen ones.

 

[chronodekar]

tzdk,

Following that argument, the best place one is secure is in jail! Lock yourself up for maximum protection.

-sigh-

"once per. day .." ? You're being sarcastic, right ?

-chronodekar

 

[balloonshark]

While you may keep your password secure, who's to say that the bank, email service, forum, etc. are secure. Some companies get compromised and don't disclose that information due to the embarrassment, damage to reputation, cost to rectify the problem, etc.

Is your identity and financial well being worth the trouble of changing your password every now and then?

 

[tzdk]

Yes chronodekar. On the other hand you could say that any talk of password is useful since so many can't be bothered to use good ones, different ones too. You don't recycle passwords of course. May be 1 for forums but different ones for all that has some importance, Gmail, Live ID, anything related to money for sure. Why Windows should come with a password manager. As important as MSE I think. Not that many know roboform, lastpass, keepass etc.

You can always mistrust balloonshark. The banks, insurance, public/stately stuff we have here are very secure, can't remember any exploits at all. In fact I can't change password to bank. Locked due to generated file which must be loaded before entering matching password. Feature not a bug I guess I can change but not without contacting them for new code and what not.

Remember Google indexed and made any Notebook searchable at launch? That was Google and not some amateur startup Must always think about what info goes where and who can see it. Also it happens a forum or more important service gets hacked and pwords become public. So it does make sense to change then! But I think it is almost irrelevant if there were no problem to begin with. Like that about using different passwords. Thinking about who you do business with of course. Not letting browser save them, encrypted if possible. If Windows had such a password manager I think it would create higher security awareness. If having gone through the trouble of using good passwords then may be not such a huge task to update Java, flash ans what else some struggle with.

Not like MS does not understand importance https://www.microsoft.com/protect/fraud/passwords/checker.aspx

They say never to keep pwords in a file on hd since criminals will look there first. They will definitely skip checking browser Majority go for max. convenience not max security.

 

[tzdk]

Btw. a friend of mine have a special "online-shopping" account and credit card. Is always empty except when he buy something. If cost is 100$ he transfer that amount from inside the bank service just before paying up. Then back to zero again. I guess similar logic as using different passwords. I have not done this yet.

 

[tzdk]

This show many are not "ready" for password policies requiring any thought or effort http://lifehacker.com/5453721/no-time-like-the-present-to-choose-strong-passwords If you convinced one of those with 123456 to change it would become 654321 Microsoft really should release a little program to handle this. Does not have to be a Roboform competitor. They could also release a Fix-It to disable browser saving passwords. They have one to disable autorun for usb drives and this is just as important.

 

[chronodekar]

tzdk,

I think you are missing my point. First off, I am not talking about strong vs weak passwords. I consider "123456" to be a very weak and idiotic password. Yes, we DO need better password managers, ones that tell us when a password is good/bad.

But, what I'm trying to highlight is - what is the point of frequently changing your password?

Regardless of how often you change your password, if your service provider (or any host) were to get compromised, so would your activities with them. And changing your password AFTER the fact, is not really a good fix now is it? The milk had been spilled.

Considering the rate of replies this thread is generating, I'm beginning to think of "change your password often" to be an urban myth of sorts.

-chronodekar

 

[tzdk]

Well there is no answer to your question since it will always depend on the situation. Making new password security layer no. 17 is meaningless if the first 16 blows. If everything is tiptop what is the point unless you feel better by doing it? How can you predict when Twitter is hacked next time? Changing passwords 10 times per day makes sense then? Why care since you do not recycle passwords.

I am not into hacking at all but when bored I visit a forum dealing with this, password stealing, social engineering, hacking websites/forums, tutorials for whatever. If interested I can PM you the link though it is easy to find on Google. Is public and so not 100% professional, those you don't hear about. But you will fall off chair I think. Much is laughable but not everything. Like it take 5 minutes to build an exe-file snatching Gmail password. Pack it in a cooool program, send it off to torrent sites etc. and then wait for ftp-server to receive. Why I tried that one was because he claimed no AV could detect it. He was right, at least from a Virustotal scan. (Almost) forget about scanners is a valuable lesson most have not learned yet. Well, amazingly domain is not blocked by browsers or services like WOT. Another lesson. The experts you have been reading will NOT approve of this interest. They focus on blocking, avoiding, hiding, warning, ducking. I will almost guarantee you will benefit but no need to say it is high risk to download and test for your self. Just reading is bad enough! I don't mean you should send infected material out on the internet but you can test locally. If not confident doing that then don't. Not like it is rocket science to understand.

You will see it make no sense to ask for value of this or that since focus must be on everything, all the time. Without getting paranoid or limit pleasures! You must know what "From a hacker view point" means to be secure.

To give a hint:

I have a guy infected with a RAT and I got his steam account with a ton of good games, the only thing is, its verified with a gmail account so i cant steal it, YET

I have tried his steam password and pretty much everything I got from the logs, but im assuming that he has his PW saved so ne never really enters it. Any idea on what I can do when I have my RAT installed on him to get the password?

Oh ya and he uses opera and Im not sure theres any stealers that can steal opera passwords?

 

[rasczak]

with rampant viruses/spyware/keyloggers etc. etc. does the average person really know what is on their computer? We are different because we understand the concept and find it useful yet annoying. the average user does not understand and there must be made to subscribe to a policy in order to protect not only themselves, but the work environment. You never know who's tapping your line, so changing your password often and with complexity makes it harder for someone to figure out what your password is and makes them give up and try to find someone easier to hack.

 

[tzdk]

The intesting part of my quote is not him wanting passwords but "I have a guy infected with a RAT" part. When did problem start?, what precisely went wrong?, where did his defense fail? What happens next is up to the "hacker" not him. He have no clue. Changing password might be useful in local environment and might help keep people on their toes but in the bigger picture it is pissing in the pants.

The experts chronodekar mentioned will not just say change password but many other things. Even for them it will be icing on the cake, list is long! I have read many "safe computing" guides and none have really related to the fact that majority directly or indirectly use illegal software, are avid users of not recommended sites. Take a forum like this, I would estimate min. 80%. I wonder if not such guides would be better if they were adjusted to real life. Like how to manage torrents and such correctly - is illegal but make sense. Of course some will follow guides to the letter and all is fine. Some also go to church every Sunday. For majority preaching don't help. Too many temptations and inconveniences. Not going to change so might as well relate. Almost illegal to say that but what is effective?

 

[GaryJohnson]

I think you guys are missing the point on this. I'm with chronodekar. If your system is already compromised, changing your password isn't going to do diddly. The hacker is going to have it as soon as you change it.

I think the "change your password regularly" mentality might be left over from a time when PC security systems weren't complex enough to catch brute force attacks or when memory and storage requirements forced short maximum lengths on passwords. If someone is brute forcing you, and you change your password, you might change it to a password they've already tried, thus thwarting their brute force attempt.

 

[lxskllr]

I think you guys are missing the point on this. I'm with chronodekar. If your system is already compromised, changing your password isn't going to do diddly. The hacker is going to have it as soon as you change it.

I think the "change your password regularly" mentality might be left over from a time when PC security systems weren't complex enough to catch brute force attacks or when memory and storage requirements forced short maximum lengths on passwords. If someone is brute forcing you, and you change your password, you might change it to a password they've already tried, thus thwarting their brute force attempt.

It could stop "in person" attacks also. If someone manages to get your password one day, and it changes the next, they're shut out again. I'm a little dubious of the benefit considering the hassle involved, but that could help in cases of corporate/government spying.

 

[Fayd]

i can understand a company changing a password to a shared resource regularly. HOWEVER: most shared resources allow for individual user accounts. so this shouldnt be the case either.

i can't understand a person changing a password to their own personal resources regularly.

so no... i dont see the need to regularly change a password.

 

[elcamino74ss]

Just another point of view but many of the regulatory/audit standards all require a password strength complexity and frequency of change.

This alone is another reason why many companies may have to enforce this "best practice"

Thank you auditors

 

[RadiclDreamer]

My thoughts have always been

Too simple of a policy, weak and easily guessed passwords get used
Too strict of a policy, post its get stuck to the monitor

 

[n0cmonkey]

Forgive me if this is silly, but it's been bothering me for a while - What is the benefit of changing your passwords often ?

From a hacker view point, he/she wouldn't know anything about your password and it is as good as a black box isn't it ? In that scenario, what is the security we get when we change our passwords ? (Granted, if someone sat for a month hacking away, then it would screw them up, but is this really a valid scenario ?)

Please note, I'm not trying to defend a bad practice here. And I know why "H@jr34" is more secure than "ILoveGermany". I just want to clarify for myself, why do so many security experts say its a good idea to change your passwords often ?

-chronodekar

Yes, brute forcing a password can take a while. Change it once in a while and it's more work for the brute forcer. Nothing like trying to crack a password for a month only to have it changed on you.

Often is a bad word here. It's too vague. How often is "often?" Force password changes too "often" and you'll have issues. Not change it "often" enough and you could have other issues.

Really, I think it all comes down to how important the information on the other side of that password is.
If it is CRITICAL, change frequently and get a second or third factor. RSA keyfobs are neat, part of my password changes every 60s.
If it's ANANDTECH, don't bother.

 

[Cogman]

too frequent and it voids any benefit, however, once every 6-12 months is a good thing. It keeps data safe from fired employees ect by refreshing the passwords every so often. But doing it too often makes people be less secure with their passwords (post-it-note with the password on it, using less secure passwords, ect).

 

[daishi5]

If your password is at any time compromised, the next time you change it your account ceases to be compromised. Password changes are not a form of prevention, but more a form of automated correction.

 

[daishi5]

Oh, I just came up with an example. We have a vendor, who supplies us with a very major part of our operation, their passwords on the system do not change, and we cannot change them because of insufficient documentation. All of their passwords, including the big super duper ones are now on the internet in a list that I can find myself on google with a very easy search.

If we could enforce our password change policy on those accounts that would not be a problem, but because those passwords cannot change, we have a huge headache.

 

[tzdk]

You will find it hard to change much if an intruder has already been there. Not your account any more. And if he got it from installed/running software of some kind nothing is ceased. Full diagnostics/removal of problem which for many means format c: is cure. I think services like Google and MS/Live ID offer a chance to reclaim an account though. Not sure how that works because the one your account can also change the "secret" questions.

https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1 seems like they are helpful and go beyond secret questions.

 

[daishi5]

You will find it hard to change much if an intruder has already been there. Not your account any more. And if he got it from installed/running software of some kind nothing is ceased. Full diagnostics/removal of problem which for many means format c: is cure. I think services like Google and MS/Live ID offer a chance to reclaim an account though. Not sure how that works because the one your account can also change the "secret" questions.

https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1 seems like they are helpful and go beyond secret questions.

Not all accounts have power. For example, some users have accounts with access to sensitive material, over time those passwords may be exposed to unauthorized people. If the passwords expire, every time they expire all the unauthorized users who knew the old password lose access to items they should not have access to. If the unauthorized users change the password, the authorized user loses access, and then he or she will have her password reset, locking the unauthorized users out.

Changing passwords on a regular basis is more for minimizing the damage from users credentials being exposed to people who should not have access. It does not do as much to protect the user as it does to protect the system. Just having passwords expire is not enough to secure a system but it is helpful as part of a plan to secure a system.