How Often Should You Change Your Password?

jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."

To Change or Not To Change

[WrongSizeGlass]

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

Re:To Change or Not To Change

[Rob+the+Bold]

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

A brute force attack shouldn't be that much of a concern with a login password, assuming that the system limits how often and how many times the brute force attack can retry. And presumably, the system would notify the account holder or administrator (or both) as to the unusual number of failed attempts.

Now if you're trying to brute force an intercepted message, that would be different. You'd have as many attempts as you could afford to crack it and all the time in the world to do it. At least until the data contained in the message was no longer useful to know.

I suppose that a password that was "strong" in the sense of "hard to memorize quickly" would be helpful against the "over the shoulder" attack.

Re:To Change or Not To Change

[leuk_he]

Make the requirement to complicated and users will work arround it.
1 -Put it on a yellow memo under the keyboard (YES YOU!!!)
2 -Take a complicated password.... and add a increment before or after it everytime you have to change. (if you have a automated policy against this, see 1. )

PS.. greetings from mordoc the information preventer in 1998

Re:To Change or Not To Change

[Idarubicin]

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

I'll grant you the over-the-shoulder issue, though except for extremely dedicated watchers that is easily defeated by trivial modification. The canonical "password" falls to the shoulder surfer, but "pasSword" or "pasword" or "password." or even "psword" are going to be missed. (A keylogger gets them all, of course, but that's also going to get genuinely 'strong' passwords.) Meanwhile, brute-force attacks are of concern for encrypted documents and the like (where you can take an unlimited number of attempts) but are nearly useless against things like account logins which will lock you out after three to five failed attempts.

Re:To Change or Not To Change

[WrongSizeGlass]

I give my clients a simple process to create 'strong' passwords out of normal words or phrases (preferably 10+ chars) that makes them easy to remember. It's not foolproof but it does give them a much better chance against the "123456" password mentality.

Re:To Change or Not To Change

[Rob+the+Bold]

2 -Take a complicated password.... and add a increment before or after it everytime you have to change. (if you have a automated policy against this, see 1. )

My bank makes me change passwords every 6 months, as has the "complicated" requirement. Any password that passes the "complicated" test is almost certainly difficult to remember. After quite a few tries, I finally came up with something that I could remember -- and my wife too -- and that the system would accept. Whew.

Fast forward six months I find out about the "must change" rule. I managed to get myself locked out during the process trying to find another suitable password and had to call tech support. I complained at the time about the 6 month rule. "Oh that's no problem, said the nice lady at the help desk. Just do what I do and add a '1' at the end!"

Re:To Change or Not To Change

[HungryHobo]

"strong" is all about cracking hashed passwords.

a very common attack is where the attacker gets hold of the hashed passwords one way or another.

even a single *wierd* character can defeat that, learn a code for some unusual unicode character and include it and then you don't have to worry too much about that attack because the search space is massive.

any 8 character all lowercase can be cracked overnight.
8 character lowercase + numbers can be cracked in a reasonable time assuming people only use it weakly like only putting 1 number in at the end.

Example: passwor9

same thing with having an uppercase character but only as the first character in the password.

Example: Passwor9

using dictionary words in any language makes it trivial and reasonable assuming your only uppercase is at the start and only lowercase is at the end.

Example: Trustno1

these substitutions in the middle of a password also only add a small bit of strength, they're not worth much.
7 for T
0 for O
5 for S

Example: Tru57no1

Strength is all about how hard it is to crack when given a hash of it.

Re:To Change or Not To Change

[SQLGuru]

Most automated policies fail if the sequence is located in the middle of your password.

pass1word
pass2word
pass3word
etc.

It's because they just check the hash and the middle digits affect the hash in an "unexpected" manner.

Re:To Change or Not To Change

[HungryHobo]

like account logins

assume an attacker will get the list of hashed passwords because it's a very common way of getting into accounts.

Re:To Change or Not To Change

[windcask]

any 8 character all lowercase can be cracked overnight.

What are you using, a 386? Anybody using a GPU-enabled instance of hashcat can break that in seconds.

Re:To Change or Not To Change

[knarfling]

Make the requirement too complicated and users will work arround it.

PS.. greetings from mordoc the information preventer in 1998

Not if you make it complicated enough. Force them to use a different doodle or a different squirrel noise each time that can't be written down, and you get rid of the yellow sticky note issue. And in 1998 they had no real comprehension of how to prevent access to useful systems. Take a look at an updated Dilbert from 2005 for how to really prevent stolen passwords as well as how to prevent access.

Re:To Change or Not To Change

[TheRaven64]

On most *NIX systems, the hashes are stored in a shadow password file, which only root can view. If the attacker is already in the system with root access, there are much easier ways of getting access to your account than decrypting your password.

Re:To Change or Not To Change

[Lumpy]

Fail.

Most rainbow tables already have those commonwords written like that. just because you discovered L33t speek, does not mean the cracking tables are already set up to crack those.

Better soluton is 2 words with special characters.

Fred-Stinks87
2Fun4You!
This-IS_My&Password

work far better and cant be added to rainbow tables easily.

Paswords are stupid and easy to crack with tricks because nobody uses AFSDWER$fq34agfre as a password. PASS PHRASES are far stronger and super easy to remember. Use at least 2 words with special characters and you are already 800X better off that everyone else.

Re:To Change or Not To Change

[Lumpy]

Most of those systems have an epic fail in them.

Forced password change has to be complex and meet rules.
Manual pasword change has less rules.

I usually do their dance, log in and change my password back to my 40 char password that I have used for 4 years. Works like a charm.

How about your bank stop being cheap about your security and allow you to use a verisign dongle?

Re:To Change or Not To Change

[poetmatt]

you're correct that a lot of measures such as substituting letters for numbers don't do much.

if you want to make it more difficult, add length to a password along with the password. Gizmodo or some gawker site talked about this once and it's a great password concept.

Example password for everything : Anon4321

add to it the website you're on, so sdAnon4321 or slashdotAnon4321. or twitter becomes tAnon4321

etc. you can choose what your variable is for each website, so to speak, and it's still a simple concept for people since they keep remembering the same password.

That way you can apply that same concept if you rotate your passwords too and it would modify them all but keep the consistency.

Re:To Change or Not To Change

Failure of imagination:

Consider an "online store", which stores credentials in a "database". The database does not run as root. The attacker probably wants to steal your credentials -- not so they can log in to the online store, but so that they can use your password and credit card details on ebay.

Re:To Change or Not To Change

[.sig]

nobody uses AFSDWER$fq34agfre as a password

Great, now I've got to go change all my passwords...

Re:To Change or Not To Change

[pilgrim23]

ISP: "Your password should be at least 8 characters and include at least one special character and one number" Online Service: "Your password should be 6 to 8 characters and include at least 1 number, no special characters. Next Online service: "Your password Must begin with a number and be at least 16 characters" and so on. Consistency may be the hobgoblin of small minds but it WOULD be nice once and a while...

Re:To Change or Not To Change

[Sigma+7]

If your hash algorithm can be cracked within seconds, then it's too weak. Either increase the number of rounds (alternating with the username and password on each round), or change to a slower algorithm.

If you get the hash calculation time to 1 millisecond and place it against a computer that has 10000 cpu-core equivalent, then it takes 6 hours to guarantee a crack, or 61 days if the user included capital letters.

Re:To Change or Not To Change

Then you get to the point where you don't even bother to try to remember your password. You just start each session clicking on the "forgot password" button, you enter your mother's maiden name, they email you a new password and you log in with that.

Re:To Change or Not To Change

[arobatino]

> A brute force attack shouldn't be that much of a concern with a login password, assuming that the system limits how often and how many times the brute force attack can retry.

Assuming the system doesn't get hacked into and the password hashes grabbed. This happened to me with PayPal in 2002. My password was strong against a handful of random guesses, but not a dictionary attack. Now I use a password manager and a different strong random password for each site.

Re:To Change or Not To Change

[aliquis]

even a single *wierd* character can defeat that,

Short answer: No.

I hate it when people recommend using weird passwords with numbers, special characters, first letter of various words and what not.

Use a fucking sentence. Much easier to remember, a hell of a lot of variation even if you don't mix anything in and if you do the better, but how would the brute-force attacker know in the first place?

OMG what shall I use as password? = (2*26+4)^33 = 4.9 × 10^57 (4 for ,.!?)

do6&3(dNu(/ = advanced, but (2*26+10+20)^11 = 1.1 × 10^21

I doubt people would use as many special characters as 20, but I just picked a number. The point goes through quite well anyway.

And which of those passwords are the easiest to remember?

Re:To Change or Not To Change

[Bengie]

Rainbow tables don't work against a salted hash. I should hope everyone salts their hashes.. and it makes them taste better.

Re:To Change or Not To Change

[mujadaddy]

Actually, the way I remember the article, it would've been something like "AnonSlashdot4321" and "AnonTwitter4321".

Re:To Change or Not To Change

[aliquis]

Hush, he's a security expert.

"Example: Tru57no1" = über ninja strength, recommended by NASA! Seen on TV!

Re:To Change or Not To Change

[aliquis]

Or well, a hungry hobo I see. Makes sense :D

Re:To Change or Not To Change

[inode_buddha]

You can get far stronger passwords (actually like a one-time pad) in a very simple way: pipe a bunch of /dev/randon through uuencode, and pick a few strings from the output of that. The uuencode program is *designed* to make binary gibberish "human-readable" so that it can be saved a plain ASCII. My box uses blowish to then encrypt (and shadow) the resulting string of randomness from the uuencode. Basically it's a poor man's password gen - the strings can contain *any* character, including punctuation and oddball symbols. The length of the word is up to you. I saved this whole deal into a few lines of shell script.

Re:To Change or Not To Change

[aliquis]

I give my clients a simple process to create 'strong' passwords out of normal words or phrases (preferably 10+ chars) that makes them easy to remember.

And it probably still suck.
See: http://it.slashdot.org/comments.pl?sid=1864202&cid=34198438

Heck, if brute forced their fucking name would be better than most passwords any stupid scheme could come up with.

That may not be the best idea for other reasons, so make take someone else name =P

"Homer", no. :D

Force people to use 15-20+ characters and they will come up with something easy to remember _AND_ effective.

Re:To Change or Not To Change

[aliquis]

Assuming you just mean data of the account and not sniffing for account logins those two aren't necessarily comparable.

Your password may lock up loads of other data sources. Your (non e-mail) data may not.

Re:To Change or Not To Change

[nabsltd]

Paswords are stupid and easy to crack with tricks because nobody uses AFSDWER$fq34agfre as a password. PASS PHRASES are far stronger and super easy to remember. Use at least 2 words with special characters and you are already 800X better off that everyone else.

Great advice...can you please force banks, etc., to allow such passwords?

Example 1: I recently signed up to be able to pay my car payment online, and the requirements were that both the username and password be at least 8 characters long but no longer than 12 characters, have at least one letter and one number, with no non-alphanumeric allowed. Although you could use mixed case, it was not a requirement.

Example 2: A set of integrated systems at a client use Active Directory as a single sign-on to authenticate. The AD password requires at least one of lower, upper, number, and symbols, and must be at least 8 characters long. But, because some of the systems that use AD to validate the authentication are broken, you can't use a password of more than 8 characters, and some of the input systems don't allow every special character to be typed, so you definitely can't use Unicode characters.

Re:To Change or Not To Change

[bondsbw]

At work, I have to use a system that not only forces you to change a password every 90 days, but you cannot change it more than once every 15 days. And of course it's difficult to get in touch with the IT admin, so if it gets lost or stolen, I have little recourse for several days.

Then there's banks... where everyone else requires special characters, they don't allow any special characters... argh...

Re:To Change or Not To Change

[HungryHobo]

If you've pre-computed the hashes then sure but I was talking about doing it with no precomputation.

Re:To Change or Not To Change

[BrokenHalo]

I never really bothered to fully learn to use leet-speak, since I'm too old for it. But a bit of substitution in combination with an appropriate and memorable bit of poetry can be a pretty good way of constructing a fairly impenetrable password that doesn't require external keychains to keep track of it. A trivial example:

A fly can't bird, but a bird can fly.

-> A fly (4n'7 bird, but a bird (4an'7 fly.

A virtual beer to anyone who gets the reference, but unless someone has the resources to construct a database of every poem known to man and selectively translate keystrokes to 1337 notation, your password is in this case not ideally safe, but close.

Re:To Change or Not To Change

[HungryHobo]

that was supposed to be an example of an awful password.
My point was that these are the kinds of things people use to meet the uppercase,lowercase and numbers requirements and they're terrible and easily cracked.

Re:To Change or Not To Change

[HungryHobo]

many people can't type 8 characters with more than 50:50 accuracy without being able to see the output.

when i worked in student IT people thought I was really really good at fixing students problems with the wireless but the entire secret was that I simply made them check their password on the lab machines then type it slowly and carefully on their laptop.
They would have seen right through me if it gave more sensible errors when the password was wrong.

Asking many people to type a long sentence without being able to see it and without typos is a tall order.

Re:To Change or Not To Change

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

+1. I had a student at my school just yesterday who was unable to login to our college online course system. Come to find out, he had left his password as his 6-digit *birthdate* since the beginning of the semester! I'm not sure who to be more upset at, an IT squad that issues easily googled info for a default password, or the guy who thinks such information should *remain* the password indefinitely!

Re:To Change or Not To Change

[SnarfQuest]

Changing your password won't really help you with brute force password attacks.

1. The attack happens over a short period of time, and unless you have a very short change cycle, it won't help during an attack.
2. Changing your password between attacks just gives them a second change. If they couldn't guess your first password, maybe they can guess your new one.
3. This also depends on whatever brute force protection is built into your system.
4. If you have an over-the-shoulder spy problem, then you should improve your typing enviornment or your coworkers.

Maybe instead of '*'s displayed as you type in a password, you should display letters from a random word instead. That would give such over-the-shoulder people something stupid to look at, instead of your fingers.

Re:To Change or Not To Change

[SnarfQuest]

a very common attack is where the attacker gets hold of the hashed passwords one way or another.

A system shouldn't make this easily avaiolable. The password file really should be hard to get. Besides giving you the hashed passwords, it also gives you a list of valid user names. Having to guess both the user names and the passwords makes breaking into a system much harder.

Re:To Change or Not To Change

Ah, sorry, lacking reading comprehension or something then :) (really didn't read all in the first place =P, sorry :))

And point taken for hard to type long passwords without seeing what you type. Seem to work fine for me though =P

Re:To Change or Not To Change

[nigelo]

Orwell was a hungry hobo?

Now THAT makes sense!

Re:To Change or Not To Change

[nigelo]

Oh, I get it; it's like:

- What's the difference between a buffalo and a bison?

- You can't wash your hands in a buffalo.

Re:To Change or Not To Change

And they said I was silly to use romanized japanese words numbers and symbols typed in qwerty as though it were dvorak. Who's laughing now?

Re:To Change or Not To Change

Even if the attacker is not able to get a hashed version of your password, brute forcing might still be an issue. If the attacker does not try to attack a particular person, it does not really matter for him if he tries a million passwords on a single user or one password on a million of users. If the attacker is using a bot net, it is probably not quite easy to detect such an attack.

Re:To Change or Not To Change

[dkf]

Great advice...can you please force banks, etc., to allow such passwords?

Example 1: I recently signed up to be able to pay my car payment online, and the requirements were that both the username and password be at least 8 characters long but no longer than 12 characters, have at least one letter and one number, with no non-alphanumeric allowed. Although you could use mixed case, it was not a requirement.

Example 2: A set of integrated systems at a client use Active Directory as a single sign-on to authenticate. The AD password requires at least one of lower, upper, number, and symbols, and must be at least 8 characters long. But, because some of the systems that use AD to validate the authentication are broken, you can't use a password of more than 8 characters, and some of the input systems don't allow every special character to be typed, so you definitely can't use Unicode characters.

I've also encountered single-sign-on systems that didn't permit different cases, or rather would normalize the case of your password for you... sometimes, but not always. All lower was the only way to make it work reliably, and boy! did it take a lot of effort on our part to find out just how broken it was. (Yes, it was a very stupid system, and I hope its authors have bad cases of haemorrhoids for a few years as compensation.)

Re:To Change or Not To Change

[dkf]

A brute force attack shouldn't be that much of a concern with a login password, assuming that the system limits how often and how many times the brute force attack can retry.

That makes you very vulnerable to denial-of-service attacks. Hmm...

Re:To Change or Not To Change

[definate]

I use passwords like that. I use LastPass to manage and sync my passwords. Then I just need to remember my master password, and make sure that's reasonable secure.

Here's an example...
U5j7!9OYot%p

Given the site is able to accept passwords with those characters, it works well. For systems where I can't auto-populate, I might limit the complexity, or generate a few, till I get something that's not too hard to type, then keep my iPhone on me, and then I've always got all these passwords handy.

It's the best password management solution, which has DRAMATICALLY increased the quality of my security.

Re:To Change or Not To Change

[poetmatt]

yeah, I think that works too. I'm not sure if either is a better approach as opposed to just different.

Re:To Change or Not To Change

I've always liked the initial letters of a phrase. For example "IALTILOAP". It gives something mnemonic, but also non-dictionary.

Re:To Change or Not To Change

[DMUTPeregrine]

I have some rather important passwords and private encryption keys (for my GPG certs, banking, etc) stored in keepass. I have a 40 character random password, from the set of all ASCII printable characters. Took about a month to memorize it, using it every day. It has 262.18 bits of entropy, thus ensuring that anyone trying to brute force the password may as well just brute force the encryption key to the file itself.

This is paranoid overkill. On the other hand I know my password isn't going to be the weak link in my security.

Re:To Change or Not To Change

Every good system should store password hashes with a salt, which makes rainbow table attacks very impractical.

Not to say it's not good to use pass phrases as you suggested, but most of my passwords do consist of 8-10 pseudo-random characters. It is not that difficult to remember once you get past the first few days.

Re:To Change or Not To Change

[xtracto]

A good encryption system should add a salt to the passwords so that even getting the hashes makes it difficult to brute-force the password :)

Re:To Change or Not To Change

[HungryHobo]

A salt defeats precomputation attacks.
if the password is weak however they don't prevent brute forcing the password.

Re:To Change or Not To Change

[monkyyy]

i really hate the no special chars
if u used a "" as your inter password
most people would try 16 letters and numbers(if u salt hashs this person must hate u)
before thinking "maybe this person knows to hold down alt + some random number to get to the extermly rare chars"

Re:To Change or Not To Change

[monkyyy]

-__- the alt+1 char doesn't show up huh?

Re:To Change or Not To Change

[Tordre]

But also forcing people to use more "weird" characters is just asking them to do something stupid like have the password on the screen in post it note form, where as a passphrase sure you may fail a few times but at least a normal person would be able to remember it in seconds as opposed to "23;w5f9s".

I am also a firm believer of passphrases and have been using them on everything that does not have an upper-bounds on password length.

thanks for the advice!

I just changed mine to 54321a

They'll never hack me now!!!!!!!!!!!!!!!!1111111111111111oneone

Re:thanks for the advice!

Looks like you were wrong. Thanks for the login, dumbass! ;)

As often as is convenient for the user.

[chemicaldave]

It depends on the user's preference, how secure the application is, and most importantly how secure the password is. A sufficiently strong password will have a minimum to how often it should be changed to protect from passwords being leaked (although this shouldn't be much of a problem either if passwords werent stored in plaintext or easy to decrypt ciphers).

Re:As often as is convenient for the user.

[Bert64]

The problem is that the user often has no idea how a given application will be storing their password...
It's not uncommon for webapps to store passwords in plain text for instance...
Quite often you get weak hashing, for instance a single round of MD5 with no salt, or passwords stored using reversible algorithms...

Then you have the windows hashing scheme, where you can authenticate using the hash without needing to crack it at all.

With online apps, sometimes you can tell they're storing the passwords in plaintext or reversible forms because the password recovery option will actually send you your original password, something which would not be possible with a sensible one way hashing algorithm.

People also reuse passwords in multiple places, so it's all well and good one site storing your pass using salted SHA512, but if you use the same pass on a site which stores it in plaintext your still very much at risk.

Re:As often as is convenient for the user.

There's a formula I came up with 5 secs. ago:

time_between_password_changes = 1/ (popularity_index + importance_of_system)

If you're very popular or you handle very important equipment, you better have a very good password, and change it periodically. If not, the likelihood of being attacked is lower and perhaps you don't need to change your passwords that often.

What's the point?

[fieldstone]

If someone steals your password, as I learned when my gmail account was hacked, the first thing they're going to do if they know anything is change both your password and your security questions. The only way changing your password will help is if the person who's stolen it is too dumb to do this, and that seems unlikely.

Re:What's the point?

[clang_jangle]

So IOW since preventative measures are not adequate 100% of the time for 100% of users, screw it all?

I don't think so...

Interestingly enough, not one really tech-savvy person I know has complained of being hacked -- it's always the morons whose username is also their password, or who use "654321", or who insist on allowing the browser to remember their logins for them. For those people you're right, "what's the point?" -- for the rest of us though, such measures generally work pretty well.

Re:What's the point?

[zn0k]

That isn't always true at all.

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

Re:What's the point?

[fieldstone]

Maybe I'm missing something here, but what's the problem with allowing the browser to remember logins for you if you don't ever allow anyone else to use your computer? I'm reasonably sure the way my account was hacked was when I stupidly logged into it on someone else's computer.

Re:What's the point?

[fieldstone]

Ah. Very good point. I hadn't considered the jealous girlfriend / boyfriend angle.

Re:What's the point?

[clang_jangle]

Maybe I'm missing something here, but what's the problem with allowing the browser to remember logins for you if you don't ever allow anyone else to use your computer?

The browser can be hacked; most of them have been at one time or another. Any data stored in the browser can potentially be retrieved by a third party. Personally, I consider memorizing a few passwords and their variants to be effort well-invested,

I'm reasonably sure the way my account was hacked was when I stupidly logged into it on someone else's computer.

That's one way it can happen.

Re:What's the point?

[bmo]

I ran into one where the username was a name and a number

The number then became the password.

"How did they guess the password?" was the question asked of me.

--
BMO

Re:What's the point?

[Idarubicin]

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.

This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.

Re:What's the point?

[Idarubicin]

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

...Of course, if I'm forced to change my password once per month, the guy reading my email who finds out that "SooperSekrit53" stopped working is going to guess that the new password is "SooperSekrit54".

Re:What's the point?

[TheRaven64]

The point of changing your password is usually to protect against offline attacks. If it took an average of 6 months of computer time (on the computer that an attacker could reasonably be expected to use) to generate a password from the hash, then changing the password every 3 months means that you probably won't still be using the password by the time someone has cracked it. This is why encrypted protocols periodically renegotiate session keys - so they're not using one for long enough for an attacker to crack it.

These days, it doesn't make much sense. An attacker that cares enough will buy some time on a botnet to do the cracking. They can either crack the password in a reasonable amount of time, or they can't in hundreds of years. There aren't many cases where they can crack it in 6 months but can't crack it in 3, for example.

The other reason is to block people intercepting your communications. For example, if a competitor gets your email password, he won't change it, he'll just grab a copy of all of your mail and steal trade secrets. If you change the password periodically, he needs to keep stealing it.

Re:What's the point?

[rvw]

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.

This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.

Gmail displays this information in the footer of the page. However, you must be aware of this, and you have to know what it means, what your IP-address is, etc. I know this info exists, but I almost never look at it to be honest.

Re:What's the point?

[muckracer]

> > the simple precaution of displaying the last date, time, and location from which I (putatively) logged in.

> Gmail displays this information in the footer of the page.

Yes, and that's the wrong place for it. New e-mails are on top and if your list is set to 100 (or 200) you'll never have a need to scroll down. It needs to be obvious. Ergo: on top! Google...u listening?

Re:What's the point?

[moderatorrater]

But TFA did - he mentions how after breaking up with someone you shared a computer with you should change all of your passwords. Almost like Bruce Schneier has had experience with that...

Re:What's the point?

The best defence against this isn't to change your password occasionally - it's to read the bit at the bottom of the screen where it tells you "You are currently also logged in from .".

Re:What's the point?

[nine-times]

It's not just jealous girlfriends/boyfriends. There's the potential for an attacker to glean personal information or account information on other services. If you get notifications from your bank, they now have some of your banking information. If you do your taxes through TurboTax or something and they email you a copy of your tax return, the attackers could get that too. They also know your friends' names and your family. If you ever send/receive login credentials for any accounts through email, they have those too.

So it's not hard to imagine that you would have an email in your account saying your bank is citibank and giving you some numbers of your bank account, some email with your SSN, and then an email from your mom which somehow includes her maiden name. For some banks, that's enough information to get access to your accounts.

Now I doubt that attackers are willing right now to expend the time and effort to read each of your emails individually, but I wouldn't put it past someone to get your email login, download every email you send or receive, and then use data-mining techniques to see what they can gather. Even something as simple as searching for the word "password" might net enough information to make it worthwhile.

Re:What's the point?

[xiaix]

If you want to monitor the correspondence without the person knowing you are doing so, changing the answer to the security question (not the question) will allow you to get it much more easily when they change it again, but not leave as much obvious evidence of tampering, Hypothetically of course.

All sounds pretty reasonable

[Chrisq]

All sounds pretty reasonable and pretty obvious. I wish someone would tell our security department. They force fourtnightly changes, with ten days warning of expitation. That means you either change more than once a week or have the expiration password pop up!

Re:All sounds pretty reasonable

[hedwards]

One of the very real problems out there is that it's more or less impossible to have strong passwords that are changed on a regular basis for everything. I've personally got nearly 500 log ins that I use from time to time and even just changing them once every few months takes a really long time.

Re:All sounds pretty reasonable

Just go from password1 to password9 then loop back to password1. If they keep a list of previously used passwords, just keep adding one.

I'm now at password5842, thanks to our extremely efficient security department!

Re:All sounds pretty reasonable

[bennomatic]

Mines similar; they require monthly changes with 10 days expiration warning. But here's the rub: we have something like 25 internal systems which are not SSO-enabled, so for that 10 days, I might get the warning a dozen or more times. Nice, huh?

Re:All sounds pretty reasonable

All sounds pretty reasonable and pretty obvious. I wish someone would tell our security department. They force fourtnightly changes, with ten days warning of expitation. That means you either change more than once a week or have the expiration password pop up!

If they're that paranoid, it may be worth getting something like Yubikey for your organization.

It's not /that/ expensive in bulk, and would probably pay for itself in productivity costs in a very short period of time.

Re:All sounds pretty reasonable

[TheCarp]

That is usually what I notice about Schneier. He doesn't really say much that is revolutionary. He pretty much just gives a level headed, common sense, appraisal of the situation. The thing is, what he does sounds absolutely revolutionary against the backdrop of all the people who are fear mongers or design their systems around articles and papers without taking into account their own situation.

The problem with security is, it always lends itself to imagination. We could sit down, all day, with nearly any complex situation, and dream up attack vectors, scenarios, etc. Since we can imagine all these things, it seems reasonable to devise protection against them. What is less obvious is, that guessing which vector someone will use, and then securing against it, is a never ending game with never ending costs. It isn't useful to spend top dollar to get locks that are hard to pick when an attacker is just going to smash in your window.

Of course, then you can bar the windows... install heavy duty doors, special locks, cameras, point to point wireless links to move security video off site.... but... if it worth it if all that security equipment costs as much as all the valuables that you wish to protect? What if you live in a place where there hasn't even been a B&E in the past several years?

Security is risk management. If you are not taking your situation, and especially which scenarios are the most likely, then you are not really managing risk. If your only purpose is to look like you are managing risk, then it is really better to call what you are doing "entertainment".

-Steve

Re:All sounds pretty reasonable

wOw! that's overboard

Re:All sounds pretty reasonable

[houghi]

Security is risk management.

Indeed it is. Remembering passwords will not protect you against your family held hostage and shot one by one if you give them the wrong or no access at all. Most likely this will not happen to get my email account.

So there will always be some sort of level at which you say "This is not worth the trouble." and forced changing of passwords WILL make them less secure. All your company security is only as strong as the weakest link, so what you must achieve is not to make the strongest link stronger (ie the nerd who changes his passwords each day) but the to make the weakest link stronger (ie the CEO and his secretary who have other things on their mind and will hand out their own password if somebody asks for it, because they need the report NOW!)

Case to case

[immakiku]

His argument is only valid for certain cases, where damage done can be spread out over the course of days or weeks. Sometimes the majority of damage/benefit derived can be derived within minutes or hours. Example: access to a victim's email account (to mine contact list or to spam or to impersonate) or access to a bank account, in which a sizable transfer can be done immediately.

Re:Case to case

Bruce makes that same point in the full article, it just wasn't mentioned in the summary. ...yeah yeah, nobody RTFAs :(

Re:Case to case

[bennomatic]

Sorry to be pedantic, but it should be, "yeah yeah, nobody RsTFA"

Re:Case to case

Actually, if you RTFA, you'll see that his argument is very much like yours. He says that MOST cases fall into one of a few groups:

Immediate damage: eg. bank account, emptied as soon as the account is hacked. No need to change frequently you'll notice when the account is hacked.
Professional snoop: Quite (you wont notice the hack), but able to put in a backdoor once in. Not really a need to change, the backdoor is in immediately so your not locking him out.
Unimportant accounts: If hacked who cares? No need to change frequently.
Casual snoop: eg. sibling/spouse/paparazzi. The unprofessional snoop will be foiled by this stuff, so this might be valid for your social network stuff.

Of the four groups, only one of them is worth changing frequently. The summary is actually really bad as it sums up the point he is countering.

Re:Case to case

Example: access to a victim's email account (to impersonate)

What are you doing on /. if you don't know you do not need a password to impersonate an email address?
Anybody can log in to any mail server, claim to be barack.obama@whitehouse.gov or cmdrtaco@slashdot.org, and send mail.

Re:Case to case

[vux984]

To be fair, if you want to -respond- to their replies, having access to their account makes that a lot easier.

Re:Case to case

OH Puhleeeease... You are not the least bit sorry to be pedantic. Grow a pair, would ya?

Re:Case to case

To out-pedantic you, perhaps he meant that "nobody read [past tense] the fancy articles"

Perfect timing

[Monkeedude1212]

About 99% of the time it would take to brute force it.

Re:Perfect timing

[mrnobo1024]

What if the attacker is brute forcing it in a random order? That time could be under a second if he's very lucky.

Whenever you...

[digitaldc]

...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.

Re:Whenever you...

[Jazz-Masta]

...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.

Not even. I've had users go through the trash in order to find the post-it note they had on their monitor that fell off when the cleaners went through the office.

It's also crucial to change passwords (for websites) using the forgot password function whenever they "accidentally" delete their cache/forms/passwords in IE.

Re:Whenever you...

[Loosifur]

Hey! Get off my keyboard, you!

Re:Whenever you...

You know I would find this funnier if it wasn't for the fact that where I work I need to change my password every 30 days and I can still not reuse a password that I used 3 years ago. I have run out of passwords I can remember so now they are getting the same password just with a number changed on the end of it each time. Its not that strong of a password but in 3 years I've used all the strong ones I use for everything else.

Why Use a Password?

[NavyNasa]

Are you hiding something?

Re:Why Use a Password?

[Kakari]

Well done sir/ma'am.

Re:Why Use a Password?

Why do you wear clothes? Are you hiding something?

If the guy is a bad-enough-dickhead this argument might actually work :-)

Re:Why Use a Password?

Absolutely not! My life is an open book!

Sincerely,
AC

This isn't Sam's club

[qoncept]

If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless."

Unless, you know, you log in and it prompts you to change the password. Now it's not only useful to the person who stole it, but useless to the person it actually belongs to.

I personally don't think password changes should be required unless there is a specific reason. Someone hacked your account? Change your password.

If you have passwords for a couple dozen systems (very easy) and each of them requires you to change your password every 3 months, you're going to start forgetting them. So you don't, you're going to start writing them down or storing them in some way. Or you're going to increment a number in your password, so it's still basically the same. Or you're going to use the same password for slashdot and faceboook.com (see that? it's a spoof site designed to steal passwords) and your bank account.

Re:This isn't Sam's club

[Rob+the+Bold]

If you have passwords for a couple dozen systems (very easy) and each of them requires you to change your password every 3 months, you're going to start forgetting them. So you don't, you're going to start writing them down or storing them in some way. Or you're going to increment a number in your password, so it's still basically the same. Or you're going to use the same password for slashdot and faceboook.com (see that? it's a spoof site designed to steal passwords) and your bank account.

Thanks, man. I quickly logged in and changed my faceboook and bank passwords. You saved me a great deal of hassle and money!

Re:This isn't Sam's club

[ducomputergeek]

Our software forces users to change their password every 90 days and it can't be the same as any of the last 4 passwords. This is do to PA-DSS compliance. Interestingly, one of the top 3 complaints we get: we force users to change their password every 90 days and it can't be the same as the last 4 used.

Re:This isn't Sam's club

Statistically and in the real world its been shown time and time again that keeping your really complex, changes relatively often, never going to remember them in a million years passwords on a post it note taped to your monitor is FAR more secure than using the same shitty easy to guess password, everywhere you need one and never changing it.

Easy passwords take short amounts of time to guess and can be done using a bot net of computers anywhere across the globe, not just at the hackers house. Keeping it the same means even a virus on a public PC you used once and never touched again has the potential to have your password, and with that, the gateway to gathering more passwords via the information obtained there.

Getting your post it note requires at the very minimum, standing in front of your desk to see it. Thats a big security risk.

Since really, you'd remember your important passwords quickly anyway, and the post it note would be kept out of plain site, you've rapidly become FAR more secure by ...

Writing your passwords down rather than making them so easy it only takes 4 tries to guess.

You don't need to take my word for it, even Mr Schneier has stated this in the past, just go browse around his website (maybe its on his company site, can't remember).

Change them every three months, write them down, store them electronically in an encrypted format with a password you can remember even though you change it often., theres even software specifically designed to do this, and you'll be more secure for doing what some idiot told you was a bad idea because he/she didn't take into account that you're a lazy SOB and won't do the right thing for security.

Proper password management means you have a unique password for every place you need one, its sufficiently hard to guess and changed relatively often, and only keep them in your memory.

Thats hard, and reserved for those with few systems or REALLY REALLY good memories. Not most sysadmins or normal people, thats for sure.

The practical solution that a lot of 'in the know' people do is let a sheet of paper ( you know, that thing made from dead trees) do the job or a software package designed for it, then just worry about remembering how to access that and keep it secure.

The third, and of course the most common thing people do is to use their birth year appended to their user name or real name, for every site they visit. These people don't count cause nothing will get them to care until they've had something serious happen due to being lazy and not caring. You know what though? Not a lot of people care about what they have either, so its not as important to them. Just gotta watch out for 'ID Theft' whatever that is ...

Re:This isn't Sam's club

[Rich0]

Fortunately crazymonkey1, crazymonkey2, crazymonkey3, and crazymonkey4 are all unique passwords.

Oh no, I hacked an account with the password crazymonkey28, and the user changed it due to expiration. Gee, I wonder what the new one might be.

These kinds of aging mechanisms are great for box-checkers, but I don't think they do much to promote real security.

Re:This isn't Sam's club

[Cro+Magnon]

Last 4? One of the systems I used to work on required the password to be different from the last 26! Also, it had an 8 char maximum, which made it harder to find 26 different words.

he's at it again

[mestar]

Another suggestion from the expert where millions of people will waste time, yet, nothing security wise will be improved.

Re:he's at it again

[Anne_Nonymous]

At least he's not fondling your balls.

Re:he's at it again

I didn't know the TSA wrote the article.

Re:he's at it again

[monkyyy]

yet

Let's look at recommended password rules

[Drakkenmensch]

Never use the same password in two places

Always use randomly generated password

Never same them to browser cookies

Never write them down so they can't be stolen

Is it just me or are security experts willingly trying to get us to just forget the twenty to thirty passwords we need to use on a weekly basis?

Re:Let's look at recommended password rules

[zippthorne]

Browser *cookies*???

Who's saving passwords to browser *cookies*? When your browser prompts you to save your password, it's putting it in an encrypted database file, sometimes using the OS's own key-storage service.

I only wish that I could hack my browser to ignore sites' settings on password storage so that I could keep all of them in the keychain behind a single, master password that I actually have hope of remembering without post-its.

Re:Let's look at recommended password rules

[bmo]

You didn't read the fine article to the end.

Never use the same password in two places

No, he doesn't say that. He even goes on to say to not think too hard about passwords for websites that you don't care about. It all depends on the situation.

Always use randomly generated password

He doesn't say that either. He said pick a "good password" which is defined as something not easily guessable. Password policies that are overly restrictive create situations where people create easily guessable passwords (requires numbers? sing a Feist song while you type 1,2,3,4) and password recycling. Bruce has written about this before.

Never same them to browser cookies

ITYM "save" instead of "same"

He didn't say that either.

Never write them down so they can't be stolen

Bruce said to write them down or use PasswordSafe or something similar.

Bruce isn't crazy and a lot of his article was common sense. Don't you feel silly now?

--
BMO

Re:Let's look at recommended password rules

[somersault]

"Never write them down" isn't really a problem as long as you keep them somewhere safe, like your wallet. If you wrote down all your credit card details, someone could use it online just as effectively as if they had your actually credit card (though some places also use a "SecureCode" or whatever, in which case not storing your securecode in your wallet would be a nice idea).

Personally I make my passwords relatively strong, though I do often re-use them and don't like to change very often. I do have some passwords that aren't too strong for accounts that I don't care about that much though. It wouldn't be that big a deal if my Slashdot account were hacked for example, since it's essentially anonymous anyway.

Re:Let's look at recommended password rules

[vivek7006]

Use firefox or chrome + pwdhash

Re:Let's look at recommended password rules

[Rich0]

Nowhere did he claim that Bruce made these suggestions. They were listed as "recommended password rules" and attributed to "security experts."

Based on my experience, he is right. Security auditors at work push for all of these sorts of things.

Bruce is a breath of fresh air in this field, but his perspective rarely becomes the one that most people have to adhere to.

Re:Let's look at recommended password rules

[LainTouko]

Anyone who tells you to follow all those rules simultaneously is not a security expert.

Expertise means not being ignorant of hugely important aspects of a field, such as cost-benefit analysis, or how users behave.

Re:Let's look at recommended password rules

[Daniel+Zappala]

I have nearly 300 passwords to different web sites, nearly all of which are randomly generated. I save them in a password manager, where they are encrypted. You'll note that at the bottom of his article, Schneier recommends using a program like this. If you Google "password manager" you'll find lots of alternatives.

Re:Let's look at recommended password rules

[houghi]

And not only the passwords. Also the different logins. Most of the time I have no power over the login. I have had First.Last@example.com, FirstLast, FLast, FirstL, Last, First, OwnCompany, RemoteCompany, Department, FTP12345, $Random and many other variations. with or without the addition of numbers.

Re:Let's look at recommended password rules

[Drakkenmensch]

Was that capitalized or not? Was it a period or an underscore? Do I need to add the domain at the start or not?!?

Re:Let's look at recommended password rules

[Cro+Magnon]

Never use the same password in two places

Always use randomly generated password

Never same them to browser cookies

Never write them down so they can't be stolen

Is it just me or are security experts willingly trying to get us to just forget the twenty to thirty passwords we need to use on a weekly basis?

If you're using a password generator, how do you ensure that two places don't generate the same pw?

Just like a toothbrush

[mrnick]

"Use it regularly, change it frequently, and don't share it with anyone!"

Re:Just like a toothbrush

[Art3x]

"Use it regularly, change it frequently, and don't share it with anyone!"

But what if you have to keep track of twelve toothbrushes?

Re:Just like a toothbrush

[vivek7006]

Just like a condom "Use it regularly, change it frequently, and don't share it with anyone!"

Re:Just like a toothbrush

What if the rule included "use different toothbrush for each tooth". Would you follow that rule?

Re:Just like a toothbrush

[StikyPad]

If you're not sharing your condom with someone, you're using it wrong.

Re:Just like a toothbrush

[treeves]

Or to have a unique toothbrush for each day of the month, and if you use the wrong toothbrush for today's date, you don't get to use your teeth (eat solid food) that day!

Re:Just like a toothbrush

Also if you use it more than once, you're using it wrong.

Does it matter?

All the passwords do is serve as a minor stumbling block.

If people are brute-forcing your password, then you have other problems. If your password is exposed somehow, then you have other problems.

It's like having your house broken into. If they have a crowbar, then they're going to get in if there's nothing to stop them. If they get a wax mold of your key, or that spare key you leave under the doormat, they're going to get in.

How do you stop them? Security inside, perhaps? Neighbors who keep an eye out for you? Police who patrol the neighborhood?

The Door is just a way to deter the lazy and disinterested.

Same with passwords.

same difference

an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else

=

to limit the amount of time an attacker has to crack the password

Wisdom

One of my old sysadmin books used to suggest resetting a password every time someone with access to the account leaves the job, after a major upgrade, whenever a security breach may have occurred or any day when you're not too drunk/hungover to forget the new password.

Re:Wisdom

[zippthorne]

There shouldn't be common passwords to anything anyway. Everyone should have their *own* credentials for access to stuff, so you don't have to inconvenience all the users when just one leaves the job, and so you can implement an access log to help with figuring out who caused problems after the fact.

It's already too often!

It most likely too often! Seriously, I don't understand IT policies with changing your password every 30, 60, etc. days. All it does is force me to come up with very simplistic passwords. I think it's better to come up with a strong password and keep it than to continually change it. As it is, I have at least 20 or more active passwords; to create 20 different passwords every n days is crazy. I don't like using the same password with different systems as the password can be exposed to the system owner which can be used to gain access to another system. Needless to say, my work passwords are the worst ever... Will someone in IT get a clue. We should be using public/private keys instead of passwords!

Those key fob things should be universal

[thomasdz]

Passwords are so 1990. I realize that it requires a little extra work, but those RSA-type key fobs that have the little LCD that displays a new "passcode" every minute should be universal by now... I love those things.
Banks should issue them to everyone, employers should issue them to everyone...
C'mon this technology has been in active use for at least 15 years now...it should be cheap and everyone should use it.

Re:Those key fob things should be universal

[swilver]

Yeah... I'd like to have 20 of those lying around instead of having 20 passwords...

Re:Those key fob things should be universal

[somersault]

Are you going to have a different one for every website you visit? It's not just your bank that you have to worry about. Paypal, Amazon and many other places store card details for example.. plus you could even do a lot of damage to someone with just their Facebook or email accounts.

Re:Those key fob things should be universal

[RaySt]

Banks should issue them to everyone, employers should issue them to everyone...

My bank and employer uses those. But guess what, the login site for both requires TWO passwords as well. And my employer's password does change, still.

Re:Those key fob things should be universal

Cheap? Try $50 each, and thats what a company with 100,000 employees was paying.

Re:Those key fob things should be universal

Passwords are so 1990. I realize that it requires a little extra work, but those RSA-type key fobs that have the little LCD that displays a new "passcode" every minute should be universal by now... I love those things.

They're not cheap to license, especially from RSA. A good alternative may be Yubikeys.

Banks should issue them to everyone, employers should issue them to everyone...

Many have. The criminals have found ways to get around them:

http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
http://www.schneier.com/essay-083.html

They certainly help, but they're no panacea. You also have to introduce mechanisms for when (!) people lose them: if your design depends on their presence, how do people get in without them? A lot more complicated than simply people having calling in, answering a bunch of questions, and having it reset (and it being mailed to them perhaps).

Re:Those key fob things should be universal

[gurps_npc]

So should Facebook give you one? And slashdot? etc. etc. We will always need passwords.

But we need: 1) More realistic password rules. 2) Consistent password rules (either no one uses symbols like @ or everyone allows them). 3) An understanding that certain things need strong passwords (and personal information to verify), and others things can get by with weak emails - no freakin way should a movie site demand your birthdate before setting up an account.

Re:Those key fob things should be universal

[Bengie]

OpenID + dongle = awesome

Re:Those key fob things should be universal

A bank that does not use them should not be your bank.

Re:Those key fob things should be universal

[Bengie]

My Blizz authenticator uses an RSA spec commercial grade dongle, and that only costs $6.50

Uses the exact same open algorithm used by other RSA dongles.

Behold, the power of mass production.

Re:Those key fob things should be universal

[araphwael]

I'd be happy if my bank issued me just a paper list of one-time passwords to use with my regular password.

Re:Those key fob things should be universal

[jonwil]

Even better than RSA keyfobs (and cheaper too) would be something like
http://www.passwindow.com/
Employers could put the PassWindow on the front of employee ID cards.
Banks could put the PassWindow on the front of the ATM card.
etc

And unlike the RSA keyfobs it hasn't been cracked yet.

No I dont work for them, I just LOVE their product and want to see it gain traction.

Re:Those key fob things should be universal

The real answer is OpenID. Not some $75 token that someone, somewhere has to manage

Never understood the logic

[Bertie]

Make people pick a strong password and then let them keep it. I mean, if it never exists outside somebody's head, it can't get lost or stolen. Forcing regular changes makes them likely to forget, or run out of ideas and choose weaker passwords. For example, I know someone who copes with the requirement to change regularly by cycling through the names and numbers of the players of his football team. This is fairly easily guessed at, and he wouldn't have to do it if he didn't have to keep changing his password.

Obviously I've no numbers to back it up, but I'd imagine security is breached far more often by finding passwords scribbled on Post-Its than by brute-forcing. I mean, that's really hard to do, and the rewards have to be well worth the effort, which they seldom are. So eliminate the need to write them down which so many people obviously feel.

Nobody knows my passwords but me. I've never written them down. I've never suffered any security compromises.

Re:Never understood the logic

[Combatso]

I agree... ive worked in IT a long time, and its always the persons fault for letting their passwords out... sometimes its a post-it, but usually people are just willing to give it out... especially to any IT staff, just walk up and ask "whats your password?"... they just assume its for a good reason and hand it over... after countless meetings, memos and shit-cannings... People will cover the debit machine at the grocery store as if they are gaurding the nuclear launch codes, but their wall-safe at the hotel they are staying at, the load with all their money, passports and jewelry, then proceed to make the code 1234....

I can't think of a way to change it either..

Re:Never understood the logic

[somersault]

Well there's also the scenario of using your password somewhere, and the server being breached, or even of that service being run by some malicious party.

I had a friend forward me an emails with something like "type in your MSN details here to find out who has blocked you". I advised her to change her password immediately, because she no doubt just put her username and password in there without thinking. If she also used that email address and password combo in other places then they could get access to those too though. I didn't consider that at the time.

Maybe that site was a scam, maybe it wasn't, but there's a lot of opportunity for sites like eBuddy or similar to collect people's login details.

There's even an XKCD about this, so even those who were too dumb to think of it before will probably be trying it by now.

I still follow the "strong password that I don't change very often" philosophy myself, but I know I probably should change it more often, and I'm careful which sites I use my currently preferred strongest password with.

Re:Never understood the logic

[betterunixthanunix]

if it never exists outside somebody's head

Except that it does exist outside of their head: the password is communicated to the system that the person is logging in to. Case in point:

http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3

From the article:

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

Re:Never understood the logic

I agree... ive worked in IT a long time, and its always the persons fault for letting their passwords out... sometimes its a post-it, but usually people are just willing to give it out... especially to any IT staff, just walk up and ask "whats your password?"... they just assume its for a good reason and hand it over...

I handed out a password once after some nice people offered me a chocolate bar. I was sort of surprised by the offer so I thought about their offer for a moment and then told them "frog" "43" "xyz" and they said thank you and gave me the chocolate bar. It was one of those Swiss chocolate ones and it was yummy. The password I had given them was very old and no longer used. It just happened to be one that stuck in my head.

Re:Never understood the logic

[Culture20]

usually people are just willing to give it out... especially to any IT staff, just walk up and ask "whats your password?"... they just assume its for a good reason and hand it over... after countless meetings, memos and shit-cannings...

It's worse than that. You'll come to their cubicle and before you can ask them to show you what's wrong, they'll announce their password loud enough that everyone in earshot can hear. That's when I announce that they need to change their passphrase immediately. This is the only time you really need to change a passphrase; when you think it may be compromised. If you change every 3 months, you've given someone access for 3 months. Either change every microsecond or only when necessary.

Slow day in the security industry

[bouldin]

If this is news, then things are really slowing down in the security industry.

"Security experts" know nothing about usability

[Tridus]

We've been going through this at work. The "security experts" came up with all kinds of assanine rules. Stuff like "don't show the length of the password as a user types", "don't reuse the same password on different systems", "don't write them down", "change them every 3 weeks", etc.

The problem is that none of these people have a bloody clue how ordinary users deal with this stuff. If you listen to security experts, you get bullshit that destroys usability and forces users to get ever more creative in bypassing the rules.

IMO no "security expert" should be allowed to come up with rules without a usability expert sitting behind them holding a taser.

Re:"Security experts" know nothing about usability

[jeffmeden]

Tasers will automatically self-sacrifice their capacitors if brought too close to Bruce Schneier. He once was approached by a man with a Taser; he ripped the man's arm off to tase him with it and the taser never forgot. Tasers never forget.

Re:"Security experts" know nothing about usability

seriously, security is inconvenient. That's how it works. If it's inconvenient for you, just imagine how inconvenient it is for the crook. idiot.

Re:"Security experts" know nothing about usability

[Rich0]

The grandparent had a good point, actually. The problem is the mentality of security at any cost.

The most secure system is a system that nobody uses. That system of course has absolutely zero utility.

In the real world we have tradeoffs. When you force users to behave in a "secure" manner that is inconvenient, you cause them to engineer around your solution - perhaps resulting in a system that now is less secure than it would have been without the security measure.

Users aren't the enemies - they're just trying to get work done.

Of course there needs to be a balance, but the best security is one where the cost of the security measure in terms of usability is considered in relation to its risk. The question isn't whether a feature increases security, but rather whether it increases it relative to its cost.

The answer

[pehrs]

Frankly, the answer is almost always "Never"

The human brain is not good at memorizing strings. I deal with well over 100 passwords a normal week. Assuming, generously, a 6 month timeout it would mean memorizing new passwords every few days. I have better things to do with my life. Much better things. As does the vast majority of users, which is why any company with short password timeout find that the passwords are either on post-it notes under the keyboards or a variation of "anna-December01".

If your system demands high security a passwords are not suitable anyway. You should be going for multi-factor authentication, not make the passwords longer or time out more often.

But, you might say, shouldn't changing passwords limit my exposure in an networked environment?

Well, there are a few alternatives. If you store your passwords in an insecure manner (postit under the keyboard, your secretary etc...) then you have allready lost. Anybody can grab your password when they need it. If you keep them secure (memorized), but worry about some server being hacked there are two allternatives: Either you have the same password everywhere, and then updating the password won't change anything, as the attacker will have your password the moment you update it. Or you have different passwords, and then it server where you updated it will still be compromized, but the rest still secure.

If you send your passwords in clear text over the network and worry about sniffing you don't care about the security.

In the end, passwords are simple security mechanisms for discuraging causual abuse of systems. Make sure they do not fall to a trivial brute-force attack and move on. If you need real security you will have to look beyond passwords anyway.

Re:The answer

[cerberusss]

or a variation of "anna-December01"

Thanks for publishing my password, assh0le. Now I have to change it AGAIN.

hunter2

Re:The answer

[RAMMS+EIN]

``Well, there are a few alternatives. If you store your passwords in an insecure manner (postit under the keyboard, your secretary etc...) then you have allready lost.''

Actually, no. If it's a strong password, it still protects against anyone who can't access the password (e.g. can't get to the post-it, doesn't get given it by the secretary, etc). That protects against the untargetted dictionary attacks that float around the 'net, which is actually the kind of attack I see most.

``If you send your passwords in clear text over the network and worry about sniffing you don't care about the security.''

Sniffing is, at the same time, more of a risk and less of a risk than people realize. A lot of people don't realize there is any risk at all, or would know there is a risk if you asked them, but otherwise don't stop to think about it. On the other end of the spectrum, there are people who think that any cleartext transmission can easily be sniffed by any interested party. The truth is that transmissions over wired networks are mostly unicast these days, so any intercepting party would have to be on the transmission path to be able to sniff. WLAN is a wholly different matter, as it is often possible for anyone on the network to intercept all traffic within radio range. But even in that case, you are usually talking about tens of nodes, rather than the whole Internet. Of course, encryption is still a good idea and should be used, unless there is a good reason not to do so.

``In the end, passwords are simple security mechanisms for discuraging causual abuse of systems.''

I agree, and that's why I'm for the use of strong passwords. If you have too many to remember, memorize just one and put the rest in a password file that you protect using the password you memorized. It's easy and secure. If even that doesn't work (for example, you move around a lot and can't always access your password file), find a different solution for the problematic cases. If you have to compromise, writing down a hint, part of the password, or even the full password isn't that bad: you still keep out people who don't have physical access to the note. Weak passwords are the greater problem: they can be guessed by attackers, or easily remembered by lots of people who can't necessarily all be trusted all the time.

Ever heard of Keepass?

[windcask]

If you use Keepass or some other sort of ultra-encrypted password safe, you only need to remember one. Besides, you'd be surprised how well your fingers remember $A45j00)&er]{ after a while, even if your brain doesn't. That may be a signal it's time to change your password, however...

Re:Ever heard of Keepass?

[FunkSoulBrother]

How does Keepass work if I'm on my phone browser or a public terminal?

Re:Ever heard of Keepass?

[Ash-Fox]

How does Keepass work if I'm on my phone browser or a public terminal?

It prevents you from doing so, thus decreasing the risk of your password being sniffed. It's a two for one deal!

Re:Ever heard of Keepass?

[SnarfQuest]

Just how do you pronounce that without people laughing at you. Keep-ass just sounds so porney.

20 toothbrushes?

[ZmeiGorynych]

Which of the couple dozen passwords I have for various places do you suggest I change frequently? All of them? I've never had my accounts cracked yet, and for any of them except banking (who use more than just a password) I don't care if they do. On the other hand, I've lost count of the times that I had to waste half an hour because I had forgotten the new password because some moronic policy forced me to change it.

When ever you need it

[Murdoch5]

How about just changing the password when you have a reason to.

Expiration? pfft

[bhcompy]

My RSA token generates a new unique password every 60 seconds.

Re:Expiration? pfft

[blair1q]

Meaning anyone with your RSA token has access to everything, and you won't know it until you get to work in the morning and the one they swapped it for looks suspiciously new.

Last I checked, memories were harder to slip off a keychain.

Re:Expiration? pfft

[bhcompy]

What's my username? And who doesn't keep their token on them at all times? Leaving your token unsecured at your desk is the same as leaving your l/p written on a piece of paper and posting it on the bulletin board. The point of the enhanced security of the token is to keep it on you at all times, and in all of the implementations I've seen it's not the only security measure. One login and rotating password for access then RSA login and password for authentication

Re:Expiration? pfft

[blair1q]

What's my username?

Easier to crib than your password. Probably attached to all your emails.
Certainly shows up in file listings.

The point of the enhanced security of the token is to keep it on you at all times

Same as a password, but the token, being seperable from you, is quite a bit easier to exploit.

One login and rotating password for access then RSA login and password for authentication

Well that's a different situation. You actually do have a password that you keep in your head. And I'm sure they put that in place for the same reasons I was talking about.

Re:Expiration? pfft

[vakuona]

If you lose your token, then you inform your admin and get it blocked. It's easier to notice that your token has been stolen than that your password has been compromised.

Strength-based passwd aging

[otis+wildflower]

Passwords should have lifetimes dictated by their strength.. Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.

Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries. I have 3-5 of these consigned to muscle memory, and rotate thru them whenever I'm forced to change my passwd, it's annoying as FUCK.

Re:Strength-based passwd aging

[muckracer]

> Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.

I like it. Might not be that easy to test for though.

> Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries.

Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers. Rather make it longer but a lot easier to type:

16 random characters from entire ASCII set (95) = 105 bits (you'd need 21 to reach 128-bit security)
16 random characters from lower-case letters (26) = 75 bits (you'd need 28 to reach 128-bit security)

Not that much of a difference. Even 75 bits would suffice for most applications.

More characters to type overall, but probably the best trade-off for entry speed, recall ability and security is the Diceware approach. 10 random words = 128+ bit.

Use KeePass anyway for the multitudes of Logins or even a simple:
vim -x my_passwords.txt
( :set cryptmethod=blowfish )

Re:Strength-based passwd aging

[LainTouko]

Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers.

And additionally, if you've trained yourself to be really good at remembering, say, lists of words, or have a good scheme for generating such lists in a repeatable fashion from some secret, and some application rejects your "flab nail sandwich under fixing splats time" password because it doesn't have a number in it, the chances of you writing down whatever awkward password you now have to remember and sticking it on your monitor are considerably increased.

Password systems should work with users to make it as easy as possible for them to create passwords which are hard to guess, but they find easy to recall. The only acceptable way to reject passwords as too weak is by running some entropy-assessment algorithm on them. That way the system can work just as well for string-of-words guy, and can-remember-things-like-e47%TeGGz1#~? man.

Passwords will be old hat

[SpaghettiPattern]

Passwords as currently known will hopefully become old hat soon. I long for the time when I can own a private key in hardware, where drivers on all platforms are cheap commodity and where all programs and systems will be able to offer e decent authentication interface.

A password can be stolen more easily than the combination password + private key.

Or underwear

Just sayin'

bruteforce

[tris203]

if you are confident your password will not be on a wordlist, and you know the encryption technique. every "less than the time take to bruteforce the password should the has be obtained", however frequently that is. If your password is "aaaa" youll be changing it every 10 seconds

Answer: Never!

[UnknowingFool]

Seriously I've used "1234" on all my email accounts and my root admin account for years and never had the problem.
Hold a sec. My router is going a little crazyF8($&#Rin85M3$%
s fpjl ;?>I ALW7H;
[CARRIER LOST]

And they are the specialists...

[hrimhari]

This again. Just like that lady from Microsoft which challenged the 7 password rules.

I am not a security specialist. Yet I seem to know something they don't: that "frequently" changing the password is meant to avoid brute-force over the password hash being profitable, not to avoid a person who already knows the password to use it.

Example: excluding the dictionary-based, < 8 length, all lower case letters, etc which are broken easily, let's suppose it takes 2 months to break a good password's hash by brute-force.

If your system obliges you to change your password every 2 months - 1 day, when the attacker finally breaks the old password it's no longer valid. The bonus would be to catch the attacker when he tried to use it.

That's the theory. If it works or is worth the trouble, I don't know. But I'd love to see that being discussed by the so-called specialists instead of unrelated use-cases.

Re:And they are the specialists...

[muckracer]

> Example: excluding the dictionary-based, If your system obliges you to change your password every 2 months - 1 day, when the attacker finally breaks the old password it's no longer valid.

Except there's a fundamental error in that argument:

The attacker doesn't have to search the entire key space to finally hit the password. Only half of it on average. In fact, he can get lucky and hit it in a couple hours! So you have no idea and that 2 months policy is worthless!

And that's not even getting into the question of how to determine the time it takes to crack a password, even if 100% key space search in brute-force mode were necessary. What's the possible tries per second reference? Your laptop? The corporate network clustered? distributed.net? The NSA?

Only way to be sure...given today's knowledge and computing power...is to pick (for high-sec apps) a password of at least 128-bit strength, since it's currently agreed upon as being completely outside the realm of possibility for anyone to crack. YMMV :-)

Re:And they are the specialists...

[itsdapead]

What's the possible tries per second reference?

GP was talking about "brute-force over the password hash".

I.e. the rule refers to situations where someone had grabbed your /etc/passwd or equivalent (fairly easy on old-style Unix systems where it was world readble) and just has to find the original passwords that give rise to the encrypted values in that file.

Re:And they are the specialists...

[hrimhari]

I think he got it and was asking for the tries per second on the hash, as in 10, 10000, etc.

The answer is: I don't know. But I can estimate it:

To go over the entire space of one single password with 8 characters by brute-force, considering 64 valid ASCII symbols (could be more, could be less, depending on the system) it should take 64^8, or 281,474,976,710,656.

It should be equivalent to a 48-bit key. For that password to be the equivalent to a 128-bit key, it should take some 22 characters in length.

Since not every password is at the end of the spectrum of the attacker's attempts, I suppose it would be safe to say that it would take half of that, in average. Or 140,737,488,355,328.

If the attacker is concentrating on only one single password, he'd need to be able to make some 27,148,425 attempts per second.

This guy seems to be able to make 1,400,000,000 of them with a PS3, so he'd take about 28 hours.

With a single PlayStation 3.

He says that PS3s are specifically good at that, so maybe that's the best bet. Except for clusters of PS3s.

So, an 8-character password in a system with 64 valid ASCII possible symbols would be the equivalent of a 48-bit key. To have the equivalent of a 128-bit key we'd need a 23-character password. I guess that's why they call it a passphrase...

In that case, the PS3 guy would take 3,853,672,525,287,862,210,347 years. A little extreme.

So how long should the password be in a system with a 2-month change policy to be safe at least from the PS3 guy?

Answer: a 54-bit key, or... 9 characters! Not that bad already...

In any case, as I said in the end of my first post, I don't get into the merit of the theory. I just question why the "specialists" always seem to analyze the question from unrelated perspectives such as "if you change your password every two months, then the maximum time an attacker will have to use the password (as in the attacker already has it from day 0) is 2 months" instead of "the maximum time an attacker will have to discover and use the password is 2 months".

You know, like the kind of analysis that I, non-specialist, just did.

Re:And they are the specialists...

[Josef+Meixner]

In any case, as I said in the end of my first post, I don't get into the merit of the theory. I just question why the "specialists" always seem to analyze the question from unrelated perspectives such as "if you change your password every two months, then the maximum time an attacker will have to use the password (as in the attacker already has it from day 0) is 2 months" instead of "the maximum time an attacker will have to discover and use the password is 2 months".

Simple, there is not only brute force to get a password. E.g. if the password hash is leaked and there is a matching rainbow table a password for your hash is known immediately (you also forgot, that hash functions are not 1:1 mappings, multiple passwords map to the same hash). Similar if the password is captured by a trojan or by a video camera. That is probably the most likely attack vector, brute forcing is very expensive.

So there are situations, where the password is known from the start. Also your analysis is flawed, you assume an attacker to systematically check all sequences of allowed characters. If you check, you will see, that the programs trying to crack passwords try a dictionary attack and do permutations on the dictionary as most people are not able to memorize a long random string of characters.

Your analysis has a second flaw, you assume interest in exactly your password. In most cases that is unlikely, an attacker of a business will try to get hold of one password to get into the system and then try to elevate the privileges, so any password will do, therefor you would go after the weakest, not the strongest.

Re:And they are the specialists...

[david_thornley]

If you're not a specialist, but you see obvious ways that multiple specialists are wrong, you may not have the entire picture.

Suppose it takes two months to brute-force a password. What doesn't happen is that the machine chugs away for precisely 1464 hours and then spits out a password. What does happen is that the machine brute-forces until it finds the password, which can be at any time up to the two months. This means you can express the breakage as something like 0.07% chance per hour, which is probably more useful.

If the intruder can get the hash once, the intruder can probably get the hash after it's been changed (or at least that's the safe assumption), and start brute-forcing the new hash at 0.07% per hour.

Suppose you change monthly. There's a 50% chance of breakage in the first month. Then there's a 50% chance of breakage in the second month, or 75% overall. That's better than 100% over two months, but it isn't a great improvement. (Changing it more frequently doesn't give you more security. Once it's a matter of probabilities rather than exhausting the search space, there's really no further improvement.) In the meantime, you're ignoring all the other ways somebody might get your password, and you're coming up with unrelated strong passwords once a month. If you're doing this for five accounts, you are coming up with more than one strong password, unrelated to any of your other passwords, per week, and having to safeguard them. (I don't know about you, but I have more than five accounts that need strong passwords.)

So, if you can come up with enough strong unrelated passwords, and remember them (or use whatever other secure method to store them), you may as well. It's a moderate improvement. For most people, it's going to be a net loss, as they'll use related passwords, and cracking one will provide a lot of clues for every other one; alternatively, they'll forget one or get it mixed up, and password recovery techniques are never as secure as the actual password.

Not to mention that I don't see clearing my bank accounts as an unrelated use case. It is a possibility for somebody who can crack the right passwords.

Re:And they are the specialists...

[hrimhari]

In any case, as I said in the end of my first post, I don't get into the merit of the theory. I just question why the "specialists" always seem to analyze the question from unrelated perspectives such as "if you change your password every two months, then the maximum time an attacker will have to use the password (as in the attacker already has it from day 0) is 2 months" instead of "the maximum time an attacker will have to discover and use the password is 2 months".

Simple, there is not only brute force to get a password.

And changing the password every X time is not the only rule employed...

E.g. if the password hash is leaked and there is a matching rainbow table a password for your hash is known immediately

It's a possibility. I have no idea of the likelihood of such a rainbow table also being available along with the password hash. Do you?

(you also forgot, that hash functions are not 1:1 mappings, multiple passwords map to the same hash).

I didn't. I just wanted to make the example simpler and shorter to follow. This could be accounted by my division of the number of necessary attempts by half. Unless you think otherwise?

Similar if the password is captured by a trojan or by a video camera. That is probably the most likely attack vector, brute forcing is very expensive.

I don't know about that either. See the PS3 guy in previous post...

So there are situations, where the password is known from the start.

In that case, changing it every X time has no value, so I don't see the point of investigating this use-case except as a strawman to say that changing every X time has no value per se.

Also your analysis is flawed, you assume an attacker to systematically check all sequences of allowed characters. If you check, you will see, that the programs trying to crack passwords try a dictionary attack and do permutations on the dictionary as most people are not able to memorize a long random string of characters.

If you read the thread, you probably saw that I chose to remove the "easy to get" from the use-case since they also have no value to this discussion. See previous answer and further analysis below.

Your analysis has a second flaw, you assume interest in exactly your password. In most cases that is unlikely, an attacker of a business will try to get hold of one password to get into the system and then try to elevate the privileges, so any password will do, therefor you would go after the weakest, not the strongest.

If the attacker can eavesdrop on you, no password rule applies. Whatever password you use, he'll get. So this use-case is not valid to this discussion.

Now, in a system with the following rules:

1. Password must have at least 8 characters.
2. Password must have lower case, upper case, letters and numbers.
3. Password must not contain dictionary words or names.
4. Password expires after 2 months.
5. Password must not be the same of one of the last 5 used passwords.

I'm looking specifically into the validity of rule 4 in such a system.

I don't think an attacker can use dictionary guessing due to rules 2 and 3.

Rule 5 helps avoiding the use of the same password too soon, so it works along with rule 4.

Due to rule 1, the attacker will rather try to crack each and every password hash he has, all at once, else he would never know if the one password he's brute-forcing is 8-character or 30-character long.

So if he gets hold of 200,000 password hashes, you better multiply the number of hash generation attempts by that, which makes it even longer.

All that considered, I still have the impression that the "specialists" simply focused on the wrong use-case. Then again, I'm not a specialist, so I'm eager to see that better explained than you just tried to do.

Re:And they are the specialists...

[hrimhari]

Most of your argument is the analysis I requested. To me, it's what's important.

This:

Not to mention that I don't see clearing my bank accounts as an unrelated use case. It is a possibility for somebody who can crack the right passwords.

It's unrelated because once the attacker has the password, there's nothing keeping him from using it right away. So changing the password every X time is obviously not effective in this case.

Of course, having our bank accounts safe (not cleared) is important. That's why we have so many security measures being discussed, including changing the password every X time.

Re:And they are the specialists...

[WuphonsReach]

The short-answer...

8 character passwords (even complete gibberish), where the attacker can grab the hash, are easily cracked within a day or three. Even if salted. Possibly hours if they have a few thousand dollars to throw at the problem. The only defense is to restrict / rate-control attempts and not let them peek at the hashes.

Every character past that point multiples the time by about 50x to 64x. It can be as little as 16x increase per letter if the password is based on dictionary words.

9 or 10 characters is a far better choice at a minimum, and 12-15 is pretty decent against all but the most determined attackers with significant resources. But minimum password length should definitely be somewhere north of 8 characters.

From what I recall, the king of the hill at the moment is NVIDIA CUDA. Which is probably a bit faster then the PS3 and you can stuff 3 or 4 of them into a single box. Not that expensive either for a week's worth of computing time on a small cluster of them. But someone would have to *really* hate you enough to spend a few thousand attempting to break-in. Or they have a bot-net at their disposal to calculate hashes. But real quick you get into the realm of "it's cheaper to install key-logging software".

Re:And they are the specialists...

[monkyyy]

assuming if u get the hash u get tons of hashes with a conservative estimate of 50% of those are idiots
"1. Password must have at least 8 characters.
2. Password must have lower case, upper case, letters and numbers.
3. Password must not contain dictionary words or names."
1. 90% of passwords will be 8 letters long
2. 80% of passwords will follow ullllll#
3. if u got the hashes u probably can get the dictionary file get a bigger dictionary file with internet terms, common 2nd languages dirty words insults,ect. get rid of all in there not 7 letter long ones and ones in the old dictionary

BOOM u got probably 30% of passwords in ur reach still while cutting down tons of time

Hundreds of passwords [Re:To Change or Not To...]

[Geoffrey.landis]

I give my clients a simple process to create 'strong' passwords out of normal words or phrases (preferably 10+ chars) that makes them easy to remember.

Yeah, and if your clients only have one password to ever remember, and didn't have to change it, that would solve the problem. I have fifty passwords, many of which have to be changed every three months. Do you give your clients a "simple process" to create two hundred passwords per year, and remember which one goes with which system?

By the way, the single most important thing you should do to make sure your clients are secure is to make sure that they don't use the same password to access different systems. If they re-use their password on an insecure phishing site, doesn't matter how "strong" it is with "10+ chars"; it might as well be 123456.

Obligatory XKCD [Re:Hundreds of passwords...]

[Geoffrey.landis]

Speaking of which, I'm surprised nobody has posted the link to the relevant xkcd yet.

http://xkcd.com/792/

If you are at all worried...

[gmurray]

If you are at all worried about changing your password, then a password is not enough. Changing doesn't help, as soon as your password is compromised it needs to be changed. Multiple factors is a much better solution than changing passwords, which only provides a false sense of security at best.

Related question

[HTH+NE1]

Related questions: how often should you change your username? real name? identity? SSN? fingerprints? retina pattern? DNA?

Re:Related question

[monkyyy]

well

DNA- daily
retina pattern- weekly
fingers- bi-weekly
ssn-monthly
identity-3 months
real name- yearly
username- NEVER

What's more

[Sycraft-fu]

It encourages password reuse. If you have to learn a new password all the time, well then makes sense to keep it to just one password. Every month you learn a new password and change it on all your sites. That's really secure! ... Not. That situation means if someone gets your password, they are in to EVERYTHING.

Personally I'm with Schnier that password changes aren't useful on their own and I take it further: You shouldn't change your password unless there's a reason for high security systems because your password should be hard. It should be something reasonably lengthy and reasonably difficult that is used ONLY for that system/service. Random characters is good, a book quote with modified letters is good, etc. Something that takes you a bit to get memorized. Reason is not only is it hard to crack, but it is hard for people to pick up if you type in. They can't just look over your shoulder and get the password, they'll be unable to remember it.

That makes it unlikely you'll be cracked, and that in the event something else is compromised, means that the damage doesn't spread. THAT is secure, that is what you want. Problem is those kinds of passwords can't be changed all the time because they are hard to remember. Make people change them every month and they'll not only start writing them down, but reusing them among systems.

I want to ask all the "security" people that think short password change policies are a great idea "Do you change the locks on your house every couple months? Then why should passwords be changed so often?"

Continual password changes are security theater, not security, and actually tend to make things worse.

As often as you need to.

[blair1q]

A = average number of people targeting you via password attacks at any time.
B = average time it takes for your password to be hacked by one person.

T_expire B/A

So you can improve security by

1. Heeding T_expire
2. Increasing B by using trickier passwords
3. Reducing A by nuking China

Every Password should be different

Every password that you use that can be different, SHOULD BE DIFFERENT. This is a risk mitigation method.
Many professionals use a password manager like LastPass or KeePass or KeePassX and honestly only know the 30+ character passphrase to open that DB.

I have hundreds of accounts and each has a different password. I use 30+ character randomly created passwords for each and have only 2 out of all these memorized - the main domain login to my main desktop AND the passphrase into KeePassX. All the other passwords ... I have no idea what they are and don't care. That's what a password manager is for.

I worked in a government lab and had to physically stand in front of the network administrator once a year to retain network access. If I didn't show up, I was cutoff. Remote users actually had to fly into our location to proved they still deserved access.

How often should a password be changed? Anytime there is a risk that it has been compromised. A stronger and longer password can help reduce the risk. At my company, we force password changes every 56 days - why 56 days? 56 is divisible by 7, so Tuesday is the day that I change my passwords. That gives me 3 days to learn it before a weekend.

Each organization will need to determine how often that could happen. For some organizations, it could be weekly, for others, yearly.

Force password change often leads to less security

[GodWasAnAlien]

In theory, forced password changes leads to more security, as it narrows a window of compromise.

In practice, a force password change often leads to less security. The basic problem is that it's hard to memorize passwords.

If forced passwords are too frequent, people will change 'mypassword' to 'mypassword2', then 'mypassword3'.
Or change to a new more secure string unrelated to the previous one. Perhaps 'Xoolu3j3e'. However, in the case of too frequent changes here, its hard to keep track of the passwords, so perhaps they get written on a sticky, or saved in the browser. Possibly a keychain on your computer helps, though then what do you do with a lost pc? write them down? assume that you can reset by some email verification ?

I wonder how often forced password changes really leads to better security.

Password are a fail

Are we really discussing this nonsense again? I have easily 15-20 passwords for various things and I am not even on Facebook and the like. I don't have a /. account cause I will not remember another password and the site allows me to post anonymously. I am not hiding from anything other than another password. I no longer shop online where I have to have an account for the same reason. If you think that normal people will remember even 10 unique long passwords you are out of your mind. If you think that it cannot be the same for the last x times, guess what people do? They spend the next 4 hours entering in enough password to get back to the last one they used and remembered.

Passwords are a weak attempt at security. Suggesting anything else is insane. It has to be easy to be effective and words as passwords are not easy and will never ever be effective.

Use your dogs name

[MidnightPsycho]

"Of course my password is the same as my pet's name.
My dog's name was Q47pY!3$H9x, but I change it every 90 days."

As often as the software insists.

[blair1q]

I have in excess of 10 passwords just for work (and I'm not an admin, just an end-user, here).

Every one of those pieces of software has different rules and timeouts. Some have aging enabled, some don't. Some prohibit reuse, some don't.

I keep a spreadsheet with the rules for all of them (not the actual passwords; those I memorize), and change them en masse when the shortest-lived one nags me.

So the question is moot. It's not reasonable to believe that in our lifetimes we'll get all of the makers of various pieces of software to change the way they control passwords. Many of these software packages have designs that are ingrained in contracts. Not that the details of the password system are called-out in a contract, but changing anything about the software is a matter of reopening requirements specifications that were locked-down according to a process that is defined and referenced in a Software Development Plan that is released and signed and referenced in a contract. Times the thousand instances of the software at the software vendors' various customer sites. And it's not possible to make a companywide decision to turn off password aging or protection on some of the software, as it's built-in turned-on by the vendor to protect their licenses.

So the answer is, I need to change my passwords as often as the software insists. Not that I want to, or that it makes any sense, but that it's how it is, and I can change that no more than I can change the commute routes available to me.

Re:As often as the software insists.

I can change that no more than I can change the commute routes available to me.

While we're still at least a few years away before China calls in their debt and fully owns this country, you can currently still live where you want (assuming you can afford it), so it's still rather quite easy to change your commute routers available to you. Granted, in a few years we may have a government that tells you where, and when, you can live.

A membership card expires

A membership card expires after a year because that's all the time you've purchased a membership for, not as a security measure.

Usability is part of security

[betterunixthanunix]

Security experts will tell you that usability is a part of security. The harder it is to use a system, the more likely it is that people will make a mistake, and in the case of a security system that often means compromising security in some way.

Passwords as a secure authentication method are a really bad idea. Humans are pretty terrible at coming up with random passwords, and only marginally better at remembering a randomly generated string. It is easy to accidentally enter the one system's password when logging into another system (and if you are logging into a system run by someone like Mark Zuckerberg, this could get you in a lot of trouble). Cryptographic logins are a hell of a lot better, all that would be needed is a good way for people to carry crypto keys around with them (which is not asking much given how many different storage devices people usually carry around -- cell phones, thumb drives, cards, etc. -- any one of which could be used to store a key). Web browsers are already capable of supporting cryptographic logins, it should not take a terrible effort to enable web browsers to use crypto keys stored on some portable device.

Yes, I know, someone could steal your thumb drive and get all your credentials. Yet we rely on house keys to protect our homes, and someone could steal your house keys and enter your house (which would give them physical access to your computer). Users can use a passphrase to help protect their crypto keys from theft (this is somewhat better than just a password login since an attacker would need the keys before they could even attempt a brute force attack, and your passphrase would only need to thwart an adversary long enough for you to report the theft and revoke the stolen keys).

Re:Usability is part of security

[nine-times]

Security experts will tell you that usability is a part of security.

This is very important. When you consider it properly, an ideal security scheme is not simply about denying access to intruders, but also about providing transparent access to authorized personnel. Making a lock impossible to pick is not generally useful if it is also impossible to open with the correct key.

And I'm not just saying that extremely high security is impractical, but rather that it often becomes less secure. If you install a lock on a heavily trafficked door and make it difficult or inconvenient to unlock through proper channels, you'll find that people will start leaving it unlocked or propping that door open.

Re:Usability is part of security

[DarkOx]

Digital keys and house or car keys are not the same thing. If I lose my keys someplace whoever finds them in most cases has little idea what they open. So just because the keys are missing security is not immediately compromised. If it takes me three hours to realize these items are missing chances are pretty good I am ok. Now if you lose your certificate private key there is a list of popular sites to attack chances are good you use or have used one, you are immediately compromised. First thing a thief finds a key he goes to Amazon, ebay, Five of the biggest US banks, Netflix, etc etc.

Duration

NUML=Length of password
NUMC=Number of non-sequential capital case letters in password
NUML=Number of non-sequential lower case letters in password
NUMN=Number of non-sequential numbers in password
NUMS=Number of non-sequential symbols in password
NUMW=Number of dictionary, name, or common words in password

( ( (NUMC*.75) + (NUML*.75) + (NUMN*.5) + (NUMS*2) - (NUMW) ) / NUML) *.1 *30

Yields maximum number of days to use a password, take lowest value of either this result or 120 days... if you come up negative, you screwed up, try a real password.

Nice summary

[Chapter80]

jhigh writes

... Bruce's analysis seems on target.

Whew. When I got the recommendation from the guy who wrote the book on security, I wasn't so sure. But since jhigh endorses it, I'll take it under advisement.

Incrementing passwords

[mr100percent]

What if people just increment their passwords? Every few years (or password expires) I just increase the number at the end. Mine is now TrustNobody2009. It expires the older password and still keeps it easy to remember

I'm sure we all know how this works out

[roc97007]

If you mandate that people change their passwords often, they will use weak passwords or write them down. The shorter the cycle, the more likely this happens.

Exactly

[CarpetShark]

"Perfect timing...bout 99% of the time it would take to brute force it."

Exactly so. The point of changing passwords is NOT to keep people from having access for too long -- that would be stupid beyond belief. The point is to change the password REGULARLY, based on the password complexity, and how long it would take to brute-force a password of that complexity.

Re:Exactly

[vakuona]

That sort of assumes that when you change your password, you change it to some combination he had already tried. Chances are he hasn't tried an significant number of possible combinations, so it's more security theatre than good security. In fact, the better the password, the more likely regularly changing the password is not useful.

Re:Exactly

[CarpetShark]

Nice try, but you need to think that through some more.

Re:Exactly

[vakuona]

I have thought through it. For regular password changes to be effective, you have to change your password before the attacker has a reasonable chance of having cracked it, which would mean a fraction of the time it would take to brute force it. It would be silly to change it at a time when the attacker has, for example, a 1 in 3 chance of having found your password. So in effect, you are trying to make brute forcing about as effective as guessing, so you have to change the password frequently enough such that the attacker may as well be guessing them, rather than trying to brute force it. Now, I believe an attacker is going for the low hanging fruit. If it is going to take 2 years to brute force your password, the attacker is not even going to try.

Re:Exactly

[Vegemeister]

Make your password one character longer instead. Then you get to keep you password 36 times as long!

Never

[pckl300]

Isn't that the whole point of a password? Instead of each user having to identify themselves by an arbitrary means on each login, the password provides a standardization of login protocol.

It could be worse

At least things have improved from what they were like in Win2k days...

password should be "pass phrase"

"There once was a man from Nantucket..."

How often should you change passwords?

[itsdapead]

The answer is, of course, dependent the maximum time for which you can stonewall your Pointy Haired Boss before he orders you to tell him the root password or else.

That's about how often.

Compare ...

[PPH]

... the proposed password life time to the time required to crack it. For dictionary attacks, the crack time might be a matter of hours (depending on login policies which detect failed attempts). Keylogging attacks can compromise a password in seconds.

So a system with poor security settings, no malware detection, etc. is pretty hopeless. Likewise, a user who doesn't pay attention to the "last login attempt 5 minutes ago from somewhere in Russia" message is screwed (unless they are actually in Russia).

Re:Answer: Never!

[Myopic]

dude, you use a dial-up modem? passwords are the least of your concerns.

My voice is my password.

[killmenow]

Now if only I had Rich Little's talent.

Re:My voice is my password.

[Cro+Magnon]

I have a cold. My current voice sounds nothing like my normal voice.

I read your password reset requests.

[VortexCortex]

How often should you change your password?

That depends on if you're trying to deny them access to their account, or trying to spy on what they're doing... oh, wait you mean the passwords I created, not the ones I've cracked... Pfft, screw "my" passwords, I'll just use yours instead.

Re:Answer: Never!

[UnknowingFool]

Don't judge me! Excuse me while I send a text to my friends via smoke signal.

L33T Passwords

[alphastrike]

Have anyone every tried to use L33T as a way to create new passwords? You take words, add L33T to them and they become an amalgamation of letters, numbers and punctuations. It's easy to remember since they are words, and L33T is a relaxed enough system so everyone's L33T is not uniform. It's like a poor man's encryption system!

Obligatory XKCD reference

[agm]

This is probably a bigger issue with all of the online services these days:

http://xkcd.com/792/

Better than stealing your house keys...

[lullabud]

They could photograph your house keys and create a duplicate key from the photo.

Never.

For systems, I've never found a need for more than the following:

Root login only via console; no SSH.
Key-based authentication for user SSH logins
A decent password for sudo privileges.

Banking? Oh, please. There's enough nonsense with my banks - numeric IDs, PINs, security phrases, little pictures to select, abnormal IP checking. All of which could be easily bypassed by a five minute conversation after an hour on hold.

The rest? Because I really care if you h4x my Facebook account.

The downsides

[Caerdwyn]

There are downsides to changing your passwords frequently, which should at least be considered along with the upsides. Specifically:

1. You are more likely to forget your passwords, and if you do so on a critical service you might cause yourself a lot of inconvenience/financial loss (example: a stock you hold is in free-fall, you want to sell, you try to sell when it's at 20 but forgot your brokerage password, and by the time you recover the password it's at 15).
2. More frequent password loss means more password recovery events, each of which is its own security risk (i.e. sending recovered or new passwords in cleartext, or personalized recovery URLs in cleartext)
3. More visits to password-change pages, which means more windows of opportunity for keyloggers. While this is only a small incremental exposure (compared to actually using the password-protected accounts as you go about your daily business), password recovery pages often involve challenge/response steps which could be recorded, meaning the bad guy could then change your password using your "secret question" answers at their leisure a few months later. (Recovery "secret question" answers are almost as good as the passwords themselves in usefulness for compromising an account... when you change your passwords, do you also change your recovery question/answers? And can you remember them?)

All that being said... yeah, passwords do have a shelf-life. I'd just warn against going overboard on frequency. Using password keychains mitigates a lot of that, but ties you to the keyring. Like so many issues in security, there's no perfect answer.