Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Often Should You Change Your Password?

Posted by CmdrTaco on from the every-eight-seconds dept.

jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."

3 of 233 comments (clear)

  1. Whenever you... by digitaldc · · Score: 5, Funny

    ...lose the post-it note on the bottom of your keyboard that you wrote it on, of course.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  2. "Security experts" know nothing about usability by Tridus · · Score: 5, Insightful

    We've been going through this at work. The "security experts" came up with all kinds of assanine rules. Stuff like "don't show the length of the password as a user types", "don't reuse the same password on different systems", "don't write them down", "change them every 3 weeks", etc.

    The problem is that none of these people have a bloody clue how ordinary users deal with this stuff. If you listen to security experts, you get bullshit that destroys usability and forces users to get ever more creative in bypassing the rules.

    IMO no "security expert" should be allowed to come up with rules without a usability expert sitting behind them holding a taser.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  3. Re:All sounds pretty reasonable by TheCarp · · Score: 5, Insightful

    That is usually what I notice about Schneier. He doesn't really say much that is revolutionary. He pretty much just gives a level headed, common sense, appraisal of the situation. The thing is, what he does sounds absolutely revolutionary against the backdrop of all the people who are fear mongers or design their systems around articles and papers without taking into account their own situation.

    The problem with security is, it always lends itself to imagination. We could sit down, all day, with nearly any complex situation, and dream up attack vectors, scenarios, etc. Since we can imagine all these things, it seems reasonable to devise protection against them. What is less obvious is, that guessing which vector someone will use, and then securing against it, is a never ending game with never ending costs. It isn't useful to spend top dollar to get locks that are hard to pick when an attacker is just going to smash in your window.

    Of course, then you can bar the windows... install heavy duty doors, special locks, cameras, point to point wireless links to move security video off site.... but... if it worth it if all that security equipment costs as much as all the valuables that you wish to protect? What if you live in a place where there hasn't even been a B&E in the past several years?

    Security is risk management. If you are not taking your situation, and especially which scenarios are the most likely, then you are not really managing risk. If your only purpose is to look like you are managing risk, then it is really better to call what you are doing "entertainment".

    -Steve

    --
    "I opened my eyes, and everything went dark again"