How Often Should You Change Your Password?

jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."

To Change or Not To Change

[WrongSizeGlass]

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

Re:To Change or Not To Change

[Rob+the+Bold]

You can change your password as often as you like, but if you don't use a strong password then you're always going to be at risk of a brute force hack or be a victim of the 'over the shoulder' spy.

A brute force attack shouldn't be that much of a concern with a login password, assuming that the system limits how often and how many times the brute force attack can retry. And presumably, the system would notify the account holder or administrator (or both) as to the unusual number of failed attempts.

Now if you're trying to brute force an intercepted message, that would be different. You'd have as many attempts as you could afford to crack it and all the time in the world to do it. At least until the data contained in the message was no longer useful to know.

I suppose that a password that was "strong" in the sense of "hard to memorize quickly" would be helpful against the "over the shoulder" attack.

Re:To Change or Not To Change

[leuk_he]

Make the requirement to complicated and users will work arround it.
1 -Put it on a yellow memo under the keyboard (YES YOU!!!)
2 -Take a complicated password.... and add a increment before or after it everytime you have to change. (if you have a automated policy against this, see 1. )

PS.. greetings from mordoc the information preventer in 1998

Re:To Change or Not To Change

[HungryHobo]

"strong" is all about cracking hashed passwords.

a very common attack is where the attacker gets hold of the hashed passwords one way or another.

even a single *wierd* character can defeat that, learn a code for some unusual unicode character and include it and then you don't have to worry too much about that attack because the search space is massive.

any 8 character all lowercase can be cracked overnight.
8 character lowercase + numbers can be cracked in a reasonable time assuming people only use it weakly like only putting 1 number in at the end.

Example: passwor9

same thing with having an uppercase character but only as the first character in the password.

Example: Passwor9

using dictionary words in any language makes it trivial and reasonable assuming your only uppercase is at the start and only lowercase is at the end.

Example: Trustno1

these substitutions in the middle of a password also only add a small bit of strength, they're not worth much.
7 for T
0 for O
5 for S

Example: Tru57no1

Strength is all about how hard it is to crack when given a hash of it.

Re:To Change or Not To Change

[Lumpy]

Fail.

Most rainbow tables already have those commonwords written like that. just because you discovered L33t speek, does not mean the cracking tables are already set up to crack those.

Better soluton is 2 words with special characters.

Fred-Stinks87
2Fun4You!
This-IS_My&Password

work far better and cant be added to rainbow tables easily.

Paswords are stupid and easy to crack with tricks because nobody uses AFSDWER$fq34agfre as a password. PASS PHRASES are far stronger and super easy to remember. Use at least 2 words with special characters and you are already 800X better off that everyone else.

Re:To Change or Not To Change

[poetmatt]

you're correct that a lot of measures such as substituting letters for numbers don't do much.

if you want to make it more difficult, add length to a password along with the password. Gizmodo or some gawker site talked about this once and it's a great password concept.

Example password for everything : Anon4321

add to it the website you're on, so sdAnon4321 or slashdotAnon4321. or twitter becomes tAnon4321

etc. you can choose what your variable is for each website, so to speak, and it's still a simple concept for people since they keep remembering the same password.

That way you can apply that same concept if you rotate your passwords too and it would modify them all but keep the consistency.

Re:To Change or Not To Change

[.sig]

nobody uses AFSDWER$fq34agfre as a password

Great, now I've got to go change all my passwords...

Re:To Change or Not To Change

[HungryHobo]

many people can't type 8 characters with more than 50:50 accuracy without being able to see the output.

when i worked in student IT people thought I was really really good at fixing students problems with the wireless but the entire secret was that I simply made them check their password on the lab machines then type it slowly and carefully on their laptop.
They would have seen right through me if it gave more sensible errors when the password was wrong.

Asking many people to type a long sentence without being able to see it and without typos is a tall order.

Whenever you...

[digitaldc]

...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.

Why Use a Password?

[NavyNasa]

Are you hiding something?

This isn't Sam's club

[qoncept]

If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless."

Unless, you know, you log in and it prompts you to change the password. Now it's not only useful to the person who stole it, but useless to the person it actually belongs to.

I personally don't think password changes should be required unless there is a specific reason. Someone hacked your account? Change your password.

If you have passwords for a couple dozen systems (very easy) and each of them requires you to change your password every 3 months, you're going to start forgetting them. So you don't, you're going to start writing them down or storing them in some way. Or you're going to increment a number in your password, so it's still basically the same. Or you're going to use the same password for slashdot and faceboook.com (see that? it's a spoof site designed to steal passwords) and your bank account.

Re:All sounds pretty reasonable

[hedwards]

One of the very real problems out there is that it's more or less impossible to have strong passwords that are changed on a regular basis for everything. I've personally got nearly 500 log ins that I use from time to time and even just changing them once every few months takes a really long time.

Re:What's the point?

[zn0k]

That isn't always true at all.

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

Let's look at recommended password rules

[Drakkenmensch]

Never use the same password in two places

Always use randomly generated password

Never same them to browser cookies

Never write them down so they can't be stolen

Is it just me or are security experts willingly trying to get us to just forget the twenty to thirty passwords we need to use on a weekly basis?

Just like a toothbrush

[mrnick]

"Use it regularly, change it frequently, and don't share it with anyone!"

Re:What's the point?

[fieldstone]

Ah. Very good point. I hadn't considered the jealous girlfriend / boyfriend angle.

Those key fob things should be universal

[thomasdz]

Passwords are so 1990. I realize that it requires a little extra work, but those RSA-type key fobs that have the little LCD that displays a new "passcode" every minute should be universal by now... I love those things.
Banks should issue them to everyone, employers should issue them to everyone...
C'mon this technology has been in active use for at least 15 years now...it should be cheap and everyone should use it.

Re:Those key fob things should be universal

[swilver]

Yeah... I'd like to have 20 of those lying around instead of having 20 passwords...

"Security experts" know nothing about usability

[Tridus]

We've been going through this at work. The "security experts" came up with all kinds of assanine rules. Stuff like "don't show the length of the password as a user types", "don't reuse the same password on different systems", "don't write them down", "change them every 3 weeks", etc.

The problem is that none of these people have a bloody clue how ordinary users deal with this stuff. If you listen to security experts, you get bullshit that destroys usability and forces users to get ever more creative in bypassing the rules.

IMO no "security expert" should be allowed to come up with rules without a usability expert sitting behind them holding a taser.

Re:What's the point?

[clang_jangle]

Maybe I'm missing something here, but what's the problem with allowing the browser to remember logins for you if you don't ever allow anyone else to use your computer?

The browser can be hacked; most of them have been at one time or another. Any data stored in the browser can potentially be retrieved by a third party. Personally, I consider memorizing a few passwords and their variants to be effort well-invested,

I'm reasonably sure the way my account was hacked was when I stupidly logged into it on someone else's computer.

That's one way it can happen.

The answer

[pehrs]

Frankly, the answer is almost always "Never"

The human brain is not good at memorizing strings. I deal with well over 100 passwords a normal week. Assuming, generously, a 6 month timeout it would mean memorizing new passwords every few days. I have better things to do with my life. Much better things. As does the vast majority of users, which is why any company with short password timeout find that the passwords are either on post-it notes under the keyboards or a variation of "anna-December01".

If your system demands high security a passwords are not suitable anyway. You should be going for multi-factor authentication, not make the passwords longer or time out more often.

But, you might say, shouldn't changing passwords limit my exposure in an networked environment?

Well, there are a few alternatives. If you store your passwords in an insecure manner (postit under the keyboard, your secretary etc...) then you have allready lost. Anybody can grab your password when they need it. If you keep them secure (memorized), but worry about some server being hacked there are two allternatives: Either you have the same password everywhere, and then updating the password won't change anything, as the attacker will have your password the moment you update it. Or you have different passwords, and then it server where you updated it will still be compromized, but the rest still secure.

If you send your passwords in clear text over the network and worry about sniffing you don't care about the security.

In the end, passwords are simple security mechanisms for discuraging causual abuse of systems. Make sure they do not fall to a trivial brute-force attack and move on. If you need real security you will have to look beyond passwords anyway.

Re:What's the point?

[Idarubicin]

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.

This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.

Re:What's the point?

[rvw]

If my goal is to use your GMail account for spam then yes, I will change the password. If my goal is to monitor your emails I most certainly will not change the password, and will just log in every day to read your correspondence.

That's an excellent point. Unfortunately, even a regular change-of-password routine means that the malicious party gets a month, or three months, or six months, or what-have-you length of time following your account.

This is why I am annoyed that so few systems implement the simple precaution of displaying the last date, time, and location from which I (putatively) logged in. At negligible cost, that information would allow me to detect a compromised account at next login, rather than remaining unknowingly insecure until my next password change.

Gmail displays this information in the footer of the page. However, you must be aware of this, and you have to know what it means, what your IP-address is, etc. I know this info exists, but I almost never look at it to be honest.

Re:Strength-based passwd aging

[muckracer]

> Weak passwds rejected, mild passwds say 30 days, medium passwds 60-90 days, strong passwds 180-360 days, and impenetrable passwds should not require changing.

I like it. Might not be that easy to test for though.

> Impenetrable = >= 16 characters, mixed case, numerals, punctuation, and passing all dictionaries.

Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers. Rather make it longer but a lot easier to type:

16 random characters from entire ASCII set (95) = 105 bits (you'd need 21 to reach 128-bit security)
16 random characters from lower-case letters (26) = 75 bits (you'd need 28 to reach 128-bit security)

Not that much of a difference. Even 75 bits would suffice for most applications.

More characters to type overall, but probably the best trade-off for entry speed, recall ability and security is the Diceware approach. 10 random words = 128+ bit.

Use KeePass anyway for the multitudes of Logins or even a simple:
vim -x my_passwords.txt
( :set cryptmethod=blowfish )

Obligatory XKCD [Re:Hundreds of passwords...]

[Geoffrey.landis]

Speaking of which, I'm surprised nobody has posted the link to the relevant xkcd yet.

http://xkcd.com/792/

Usability is part of security

[betterunixthanunix]

Security experts will tell you that usability is a part of security. The harder it is to use a system, the more likely it is that people will make a mistake, and in the case of a security system that often means compromising security in some way.

Passwords as a secure authentication method are a really bad idea. Humans are pretty terrible at coming up with random passwords, and only marginally better at remembering a randomly generated string. It is easy to accidentally enter the one system's password when logging into another system (and if you are logging into a system run by someone like Mark Zuckerberg, this could get you in a lot of trouble). Cryptographic logins are a hell of a lot better, all that would be needed is a good way for people to carry crypto keys around with them (which is not asking much given how many different storage devices people usually carry around -- cell phones, thumb drives, cards, etc. -- any one of which could be used to store a key). Web browsers are already capable of supporting cryptographic logins, it should not take a terrible effort to enable web browsers to use crypto keys stored on some portable device.

Yes, I know, someone could steal your thumb drive and get all your credentials. Yet we rely on house keys to protect our homes, and someone could steal your house keys and enter your house (which would give them physical access to your computer). Users can use a passphrase to help protect their crypto keys from theft (this is somewhat better than just a password login since an attacker would need the keys before they could even attempt a brute force attack, and your passphrase would only need to thwart an adversary long enough for you to report the theft and revoke the stolen keys).

Re:All sounds pretty reasonable

[TheCarp]

That is usually what I notice about Schneier. He doesn't really say much that is revolutionary. He pretty much just gives a level headed, common sense, appraisal of the situation. The thing is, what he does sounds absolutely revolutionary against the backdrop of all the people who are fear mongers or design their systems around articles and papers without taking into account their own situation.

The problem with security is, it always lends itself to imagination. We could sit down, all day, with nearly any complex situation, and dream up attack vectors, scenarios, etc. Since we can imagine all these things, it seems reasonable to devise protection against them. What is less obvious is, that guessing which vector someone will use, and then securing against it, is a never ending game with never ending costs. It isn't useful to spend top dollar to get locks that are hard to pick when an attacker is just going to smash in your window.

Of course, then you can bar the windows... install heavy duty doors, special locks, cameras, point to point wireless links to move security video off site.... but... if it worth it if all that security equipment costs as much as all the valuables that you wish to protect? What if you live in a place where there hasn't even been a B&E in the past several years?

Security is risk management. If you are not taking your situation, and especially which scenarios are the most likely, then you are not really managing risk. If your only purpose is to look like you are managing risk, then it is really better to call what you are doing "entertainment".

-Steve

Re:What's the point?

[moderatorrater]

But TFA did - he mentions how after breaking up with someone you shared a computer with you should change all of your passwords. Almost like Bruce Schneier has had experience with that...

Re:Strength-based passwd aging

[LainTouko]

Personally I *hate* all that mixed character crap and only use lower-case characters, so I don't have to hit Shift or otherwise contort my fingers.

And additionally, if you've trained yourself to be really good at remembering, say, lists of words, or have a good scheme for generating such lists in a repeatable fashion from some secret, and some application rejects your "flab nail sandwich under fixing splats time" password because it doesn't have a number in it, the chances of you writing down whatever awkward password you now have to remember and sticking it on your monitor are considerably increased.

Password systems should work with users to make it as easy as possible for them to create passwords which are hard to guess, but they find easy to recall. The only acceptable way to reject passwords as too weak is by running some entropy-assessment algorithm on them. That way the system can work just as well for string-of-words guy, and can-remember-things-like-e47%TeGGz1#~? man.

Re:What's the point?

[xiaix]

If you want to monitor the correspondence without the person knowing you are doing so, changing the answer to the security question (not the question) will allow you to get it much more easily when they change it again, but not leave as much obvious evidence of tampering, Hypothetically of course.