How Often Should You Change Your Password?
jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."
You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.
A brute force attack shouldn't be that much of a concern with a login password, assuming that the system limits how often and how many times the brute force attack can retry. And presumably, the system would notify the account holder or administrator (or both) as to the unusual number of failed attempts.
Now if you're trying to brute force an intercepted message, that would be different. You'd have as many attempts as you could afford to crack it and all the time in the world to do it. At least until the data contained in the message was no longer useful to know.
I suppose that a password that was "strong" in the sense of "hard to memorize quickly" would be helpful against the "over the shoulder" attack.
I am not a crackpot.
Never use the same password in two places
Always use randomly generated password
Never same them to browser cookies
Never write them down so they can't be stolen
Is it just me or are security experts willingly trying to get us to just forget the twenty to thirty passwords we need to use on a weekly basis?
"strong" is all about cracking hashed passwords.
a very common attack is where the attacker gets hold of the hashed passwords one way or another.
even a single *wierd* character can defeat that, learn a code for some unusual unicode character and include it and then you don't have to worry too much about that attack because the search space is massive.
any 8 character all lowercase can be cracked overnight.
8 character lowercase + numbers can be cracked in a reasonable time assuming people only use it weakly like only putting 1 number in at the end.
Example: passwor9
same thing with having an uppercase character but only as the first character in the password.
Example: Passwor9
using dictionary words in any language makes it trivial and reasonable assuming your only uppercase is at the start and only lowercase is at the end.
Example: Trustno1
these substitutions in the middle of a password also only add a small bit of strength, they're not worth much.
7 for T
0 for O
5 for S
Example: Tru57no1
Strength is all about how hard it is to crack when given a hash of it.
Fail.
Most rainbow tables already have those commonwords written like that. just because you discovered L33t speek, does not mean the cracking tables are already set up to crack those.
Better soluton is 2 words with special characters.
Fred-Stinks87
2Fun4You!
This-IS_My&Password
work far better and cant be added to rainbow tables easily.
Paswords are stupid and easy to crack with tricks because nobody uses AFSDWER$fq34agfre as a password. PASS PHRASES are far stronger and super easy to remember. Use at least 2 words with special characters and you are already 800X better off that everyone else.
Do not look at laser with remaining good eye.
> Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.
I like it. Might not be that easy to test for though.
> Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries.
Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers. Rather make it longer but a lot easier to type:
16 random characters from entire ASCII set (95) = 105 bits (you'd need 21 to reach 128-bit security)
16 random characters from lower-case letters (26) = 75 bits (you'd need 28 to reach 128-bit security)
Not that much of a difference. Even 75 bits would suffice for most applications.
More characters to type overall, but probably the best trade-off for entry speed, recall ability and security is the Diceware approach. 10 random words = 128+ bit.
Use KeePass anyway for the multitudes of Logins or even a simple: :set cryptmethod=blowfish )
vim -x my_passwords.txt
(
you're correct that a lot of measures such as substituting letters for numbers don't do much.
if you want to make it more difficult, add length to a password along with the password. Gizmodo or some gawker site talked about this once and it's a great password concept.
Example password for everything : Anon4321
add to it the website you're on, so sdAnon4321 or slashdotAnon4321. or twitter becomes tAnon4321
etc. you can choose what your variable is for each website, so to speak, and it's still a simple concept for people since they keep remembering the same password.
That way you can apply that same concept if you rotate your passwords too and it would modify them all but keep the consistency.
many people can't type 8 characters with more than 50:50 accuracy without being able to see the output.
when i worked in student IT people thought I was really really good at fixing students problems with the wireless but the entire secret was that I simply made them check their password on the lab machines then type it slowly and carefully on their laptop.
They would have seen right through me if it gave more sensible errors when the password was wrong.
Asking many people to type a long sentence without being able to see it and without typos is a tall order.
If you want to monitor the correspondence without the person knowing you are doing so, changing the answer to the security question (not the question) will allow you to get it much more easily when they change it again, but not leave as much obvious evidence of tampering, Hypothetically of course.
Have you read the Moderator Guidelines yet?