Slashdot Mirror


How Often Should You Change Your Password?

jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."

4 of 233 comments (clear)

  1. Re:To Change or Not To Change by Rob+the+Bold · · Score: 4, Interesting

    You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

    A brute force attack shouldn't be that much of a concern with a login password, assuming that the system limits how often and how many times the brute force attack can retry. And presumably, the system would notify the account holder or administrator (or both) as to the unusual number of failed attempts.

    Now if you're trying to brute force an intercepted message, that would be different. You'd have as many attempts as you could afford to crack it and all the time in the world to do it. At least until the data contained in the message was no longer useful to know.

    I suppose that a password that was "strong" in the sense of "hard to memorize quickly" would be helpful against the "over the shoulder" attack.

    --
    I am not a crackpot.
  2. Let's look at recommended password rules by Drakkenmensch · · Score: 4, Interesting

    Never use the same password in two places

    Always use randomly generated password

    Never same them to browser cookies

    Never write them down so they can't be stolen

    Is it just me or are security experts willingly trying to get us to just forget the twenty to thirty passwords we need to use on a weekly basis?

  3. Re:Strength-based passwd aging by muckracer · · Score: 4, Interesting

    > Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.

    I like it. Might not be that easy to test for though.

    > Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries.

    Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers. Rather make it longer but a lot easier to type:

    16 random characters from entire ASCII set (95) = 105 bits (you'd need 21 to reach 128-bit security)
    16 random characters from lower-case letters (26) = 75 bits (you'd need 28 to reach 128-bit security)

    Not that much of a difference. Even 75 bits would suffice for most applications.

    More characters to type overall, but probably the best trade-off for entry speed, recall ability and security is the Diceware approach. 10 random words = 128+ bit.

    Use KeePass anyway for the multitudes of Logins or even a simple:
    vim -x my_passwords.txt
    ( :set cryptmethod=blowfish )

  4. Re:To Change or Not To Change by HungryHobo · · Score: 4, Interesting

    many people can't type 8 characters with more than 50:50 accuracy without being able to see the output.

    when i worked in student IT people thought I was really really good at fixing students problems with the wireless but the entire secret was that I simply made them check their password on the lab machines then type it slowly and carefully on their laptop.
    They would have seen right through me if it gave more sensible errors when the password was wrong.

    Asking many people to type a long sentence without being able to see it and without typos is a tall order.