Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Often Should You Change Your Password?

Posted by CmdrTaco on from the every-eight-seconds dept.

jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."

5 of 233 comments (clear)

  1. Re:Case to case by Anonymous Coward · · Score: 2, Informative

    Bruce makes that same point in the full article, it just wasn't mentioned in the summary. ...yeah yeah, nobody RTFAs :(

  2. Re:What's the point? by clang_jangle · · Score: 3, Informative

    Maybe I'm missing something here, but what's the problem with allowing the browser to remember logins for you if you don't ever allow anyone else to use your computer?

    The browser can be hacked; most of them have been at one time or another. Any data stored in the browser can potentially be retrieved by a third party. Personally, I consider memorizing a few passwords and their variants to be effort well-invested,

    I'm reasonably sure the way my account was hacked was when I stupidly logged into it on someone else's computer.

    That's one way it can happen.

    --
    Caveat Utilitor
  3. Re:What's the point? by rvw · · Score: 3, Informative

    If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

    That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.

    This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.

    Gmail displays this information in the footer of the page. However, you must be aware of this, and you have to know what it means, what your IP-address is, etc. I know this info exists, but I almost never look at it to be honest.

  4. Re:What's the point? by moderatorrater · · Score: 3, Informative

    But TFA did - he mentions how after breaking up with someone you shared a computer with you should change all of your passwords. Almost like Bruce Schneier has had experience with that...

  5. Re:To Change or Not To Change by SnarfQuest · · Score: 2, Informative

    a very common attack is where the attacker gets hold of the hashed passwords one way or another.

    A system shouldn't make this easily avaiolable. The password file really should be hard to get. Besides giving you the hashed passwords, it also gives you a list of valid user names. Having to guess both the user names and the passwords makes breaking into a system much harder.

    --
    Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.