Slashdot Mirror
How Often Should You Change Your Password?
jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."
You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.
It depends on the user's preference, how secure the application is, and most importantly how secure the password is. A sufficiently strong password will have a minimum to how often it should be changed to protect from passwords being leaked (although this shouldn't be much of a problem either if passwords werent stored in plaintext or easy to decrypt ciphers).
All sounds pretty reasonable and pretty obvious. I wish someone would tell our security department. They force fourtnightly changes, with ten days warning of expitation. That means you either change more than once a week or have the expiration password pop up!
...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.
He who knows best knows how little he knows. - Thomas Jefferson
Are you hiding something?
Space Cadet
If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless."
Unless, you know, you log in and it prompts you to change the password. Now it's not only useful to the person who stole it, but useless to the person it actually belongs to.
I personally don't think password changes should be required unless there is a specific reason. Someone hacked your account? Change your password.
If you have passwords for a couple dozen systems (very easy) and each of them requires you to change your password every 3 months, you're going to start forgetting them. So you don't, you're going to start writing them down or storing them in some way. Or you're going to increment a number in your password, so it's still basically the same. Or you're going to use the same password for slashdot and faceboook.com (see that? it's a spoof site designed to steal passwords) and your bank account.
Whale
Another suggestion from the expert where millions of people will waste time, yet, nothing security wise will be improved.
So IOW since preventative measures are not adequate 100% of the time for 100% of users, screw it all?
I don't think so...
Interestingly enough, not one really tech-savvy person I know has complained of being hacked -- it's always the morons whose username is also their password, or who use "654321", or who insist on allowing the browser to remember their logins for them. For those people you're right, "what's the point?" -- for the rest of us though, such measures generally work pretty well.
Caveat Utilitor
That isn't always true at all.
If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.
Never use the same password in two places
Always use randomly generated password
Never same them to browser cookies
Never write them down so they can't be stolen
Is it just me or are security experts willingly trying to get us to just forget the twenty to thirty passwords we need to use on a weekly basis?
"Use it regularly, change it frequently, and don't share it with anyone!"
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
Maybe I'm missing something here, but what's the problem with allowing the browser to remember logins for you if you don't ever allow anyone else to use your computer? I'm reasonably sure the way my account was hacked was when I stupidly logged into it on someone else's computer.
Ah. Very good point. I hadn't considered the jealous girlfriend / boyfriend angle.
Passwords are so 1990. I realize that it requires a little extra work, but those RSA-type key fobs that have the little LCD that displays a new "passcode" every minute should be universal by now... I love those things.
Banks should issue them to everyone, employers should issue them to everyone...
C'mon this technology has been in active use for at least 15 years now...it should be cheap and everyone should use it.
Karma: Excellent. 15 moderator points expire sometime.
Bruce makes that same point in the full article, it just wasn't mentioned in the summary. ...yeah yeah, nobody RTFAs :(
Make people pick a strong password and then let them keep it. I mean, if it never exists outside somebody's head, it can't get lost or stolen. Forcing regular changes makes them likely to forget, or run out of ideas and choose weaker passwords. For example, I know someone who copes with the requirement to change regularly by cycling through the names and numbers of the players of his football team. This is fairly easily guessed at, and he wouldn't have to do it if he didn't have to keep changing his password.
Obviously I've no numbers to back it up, but I'd imagine security is breached far more often by finding passwords scribbled on Post-Its than by brute-forcing. I mean, that's really hard to do, and the rewards have to be well worth the effort, which they seldom are. So eliminate the need to write them down which so many people obviously feel.
Nobody knows my passwords but me. I've never written them down. I've never suffered any security compromises.
We've been going through this at work. The "security experts" came up with all kinds of assanine rules. Stuff like "don't show the length of the password as a user types", "don't reuse the same password on different systems", "don't write them down", "change them every 3 weeks", etc.
The problem is that none of these people have a bloody clue how ordinary users deal with this stuff. If you listen to security experts, you get bullshit that destroys usability and forces users to get ever more creative in bypassing the rules.
IMO no "security expert" should be allowed to come up with rules without a usability expert sitting behind them holding a taser.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
The browser can be hacked; most of them have been at one time or another. Any data stored in the browser can potentially be retrieved by a third party. Personally, I consider memorizing a few passwords and their variants to be effort well-invested,
That's one way it can happen.
Caveat Utilitor
Frankly, the answer is almost always "Never"
The human brain is not good at memorizing strings. I deal with well over 100 passwords a normal week. Assuming, generously, a 6 month timeout it would mean memorizing new passwords every few days. I have better things to do with my life. Much better things. As does the vast majority of users, which is why any company with short password timeout find that the passwords are either on post-it notes under the keyboards or a variation of "anna-December01".
If your system demands high security a passwords are not suitable anyway. You should be going for multi-factor authentication, not make the passwords longer or time out more often.
But, you might say, shouldn't changing passwords limit my exposure in an networked environment?
Well, there are a few alternatives. If you store your passwords in an insecure manner (postit under the keyboard, your secretary etc...) then you have allready lost. Anybody can grab your password when they need it. If you keep them secure (memorized), but worry about some server being hacked there are two allternatives: Either you have the same password everywhere, and then updating the password won't change anything, as the attacker will have your password the moment you update it. Or you have different passwords, and then it server where you updated it will still be compromized, but the rest still secure.
If you send your passwords in clear text over the network and worry about sniffing you don't care about the security.
In the end, passwords are simple security mechanisms for discuraging causual abuse of systems. Make sure they do not fall to a trivial brute-force attack and move on. If you need real security you will have to look beyond passwords anyway.
If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.
That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.
This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.
~Idarubicin
The point of changing your password is usually to protect against offline attacks. If it took an average of 6 months of computer time (on the computer that an attacker could reasonably be expected to use) to generate a password from the hash, then changing the password every 3 months means that you probably won't still be using the password by the time someone has cracked it. This is why encrypted protocols periodically renegotiate session keys - so they're not using one for long enough for an attacker to crack it.
These days, it doesn't make much sense. An attacker that cares enough will buy some time on a botnet to do the cracking. They can either crack the password in a reasonable amount of time, or they can't in hundreds of years. There aren't many cases where they can crack it in 6 months but can't crack it in 3, for example.
The other reason is to block people intercepting your communications. For example, if a competitor gets your email password, he won't change it, he'll just grab a copy of all of your mail and steal trade secrets. If you change the password periodically, he needs to keep stealing it.
I am TheRaven on Soylent News
If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.
That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.
This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.
Gmail displays this information in the footer of the page. However, you must be aware of this, and you have to know what it means, what your IP-address is, etc. I know this info exists, but I almost never look at it to be honest.
I give my clients a simple process to create 'strong' passwords out of normal words or phrases (preferably 10+ chars) that makes them easy to remember.
Yeah, and if your clients only have one password to ever remember, and didn't have to change it, that would solve the problem. I have fifty passwords, many of which have to be changed every three months. Do you give your clients a "simple process" to create two hundred passwords per year, and remember which one goes with which system?
By the way, the single most important thing you should do to make sure your clients are secure is to make sure that they don't use the same password to access different systems. If they re-use their password on an insecure phishing site, doesn't matter how "strong" it is with "10+ chars"; it might as well be 123456.
http://www.geoffreylandis.com
> Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.
I like it. Might not be that easy to test for though.
> Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries.
Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers. Rather make it longer but a lot easier to type:
16 random characters from entire ASCII set (95) = 105 bits (you'd need 21 to reach 128-bit security)
16 random characters from lower-case letters (26) = 75 bits (you'd need 28 to reach 128-bit security)
Not that much of a difference. Even 75 bits would suffice for most applications.
More characters to type overall, but probably the best trade-off for entry speed, recall ability and security is the Diceware approach. 10 random words = 128+ bit.
Use KeePass anyway for the multitudes of Logins or even a simple: :set cryptmethod=blowfish )
vim -x my_passwords.txt
(
Speaking of which, I'm surprised nobody has posted the link to the relevant xkcd yet.
http://xkcd.com/792/
http://www.geoffreylandis.com
If you are at all worried about changing your password, then a password is not enough. Changing doesn't help, as soon as your password is compromised it needs to be changed. Multiple factors is a much better solution than changing passwords, which only provides a false sense of security at best.
"Of course my password is the same as my pet's name.
My dog's name was Q47pY!3$H9x, but I change it every 90 days."
I have in excess of 10 passwords just for work (and I'm not an admin, just an end-user, here).
Every one of those pieces of software has different rules and timeouts. Some have aging enabled, some don't. Some prohibit reuse, some don't.
I keep a spreadsheet with the rules for all of them (not the actual passwords; those I memorize), and change them en masse when the shortest-lived one nags me.
So the question is moot. It's not reasonable to believe that in our lifetimes we'll get all of the makers of various pieces of software to change the way they control passwords. Many of these software packages have designs that are ingrained in contracts. Not that the details of the password system are called-out in a contract, but changing anything about the software is a matter of reopening requirements specifications that were locked-down according to a process that is defined and referenced in a Software Development Plan that is released and signed and referenced in a contract. Times the thousand instances of the software at the software vendors' various customer sites. And it's not possible to make a companywide decision to turn off password aging or protection on some of the software, as it's built-in turned-on by the vendor to protect their licenses.
So the answer is, I need to change my passwords as often as the software insists. Not that I want to, or that it makes any sense, but that it's how it is, and I can change that no more than I can change the commute routes available to me.
Security experts will tell you that usability is a part of security. The harder it is to use a system, the more likely it is that people will make a mistake, and in the case of a security system that often means compromising security in some way.
Passwords as a secure authentication method are a really bad idea. Humans are pretty terrible at coming up with random passwords, and only marginally better at remembering a randomly generated string. It is easy to accidentally enter the one system's password when logging into another system (and if you are logging into a system run by someone like Mark Zuckerberg, this could get you in a lot of trouble). Cryptographic logins are a hell of a lot better, all that would be needed is a good way for people to carry crypto keys around with them (which is not asking much given how many different storage devices people usually carry around -- cell phones, thumb drives, cards, etc. -- any one of which could be used to store a key). Web browsers are already capable of supporting cryptographic logins, it should not take a terrible effort to enable web browsers to use crypto keys stored on some portable device.
Yes, I know, someone could steal your thumb drive and get all your credentials. Yet we rely on house keys to protect our homes, and someone could steal your house keys and enter your house (which would give them physical access to your computer). Users can use a passphrase to help protect their crypto keys from theft (this is somewhat better than just a password login since an attacker would need the keys before they could even attempt a brute force attack, and your passphrase would only need to thwart an adversary long enough for you to report the theft and revoke the stolen keys).
Palm trees and 8
But TFA did - he mentions how after breaking up with someone you shared a computer with you should change all of your passwords. Almost like Bruce Schneier has had experience with that...
Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers.
And additionally, if you've trained yourself to be really good at remembering, say, lists of words, or have a good scheme for generating such lists in a repeatable fashion from some secret, and some application rejects your "flab nail sandwich under fixing splats time" password because it doesn't have a number in it, the chances of you writing down whatever awkward password you now have to remember and sticking it on your monitor are considerably increased.
Password systems should work with users to make it as easy as possible for them to create passwords which are hard to guess, but they find easy to recall. The only acceptable way to reject passwords as too weak is by running some entropy-assessment algorithm on them. That way the system can work just as well for string-of-words guy, and can-remember-things-like-e47%TeGGz1#~? man.
I think he got it and was asking for the tries per second on the hash, as in 10, 10000, etc.
The answer is: I don't know. But I can estimate it:
To go over the entire space of one single password with 8 characters by brute-force, considering 64 valid ASCII symbols (could be more, could be less, depending on the system) it should take 64^8, or 281,474,976,710,656.
It should be equivalent to a 48-bit key. For that password to be the equivalent to a 128-bit key, it should take some 22 characters in length.
Since not every password is at the end of the spectrum of the attacker's attempts, I suppose it would be safe to say that it would take half of that, in average. Or 140,737,488,355,328.
If the attacker is concentrating on only one single password, he'd need to be able to make some 27,148,425 attempts per second.
This guy seems to be able to make 1,400,000,000 of them with a PS3, so he'd take about 28 hours.
With a single PlayStation 3.
He says that PS3s are specifically good at that, so maybe that's the best bet. Except for clusters of PS3s.
So, an 8-character password in a system with 64 valid ASCII possible symbols would be the equivalent of a 48-bit key. To have the equivalent of a 128-bit key we'd need a 23-character password. I guess that's why they call it a passphrase...
In that case, the PS3 guy would take 3,853,672,525,287,862,210,347 years. A little extreme.
So how long should the password be in a system with a 2-month change policy to be safe at least from the PS3 guy?
Answer: a 54-bit key, or... 9 characters! Not that bad already...
In any case, as I said in the end of my first post, I don't get into the merit of the theory. I just question why the "specialists" always seem to analyze the question from unrelated perspectives such as "if you change your password every two months, then the maximum time an attacker will have to use the password (as in the attacker already has it from day 0) is 2 months" instead of "the maximum time an attacker will have to discover and use the password is 2 months".
You know, like the kind of analysis that I, non-specialist, just did.
http://dilbert.com/2010-12-13
It's not just jealous girlfriends/boyfriends. There's the potential for an attacker to glean personal information or account information on other services. If you get notifications from your bank, they now have some of your banking information. If you do your taxes through TurboTax or something and they email you a copy of your tax return, the attackers could get that too. They also know your friends' names and your family. If you ever send/receive login credentials for any accounts through email, they have those too.
So it's not hard to imagine that you would have an email in your account saying your bank is citibank and giving you some numbers of your bank account, some email with your SSN, and then an email from your mom which somehow includes her maiden name. For some banks, that's enough information to get access to your accounts.
Now I doubt that attackers are willing right now to expend the time and effort to read each of your emails individually, but I wouldn't put it past someone to get your email login, download every email you send or receive, and then use data-mining techniques to see what they can gather. Even something as simple as searching for the word "password" might net enough information to make it worthwhile.
If you want to monitor the correspondence without the person knowing you are doing so, changing the answer to the security question (not the question) will allow you to get it much more easily when they change it again, but not leave as much obvious evidence of tampering, Hypothetically of course.
Have you read the Moderator Guidelines yet?