Slashdot Mirror
Ask Slashdot: Changing Passwords For the New Year?
New submitter windcask asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."
What a good way to harvest guessing algorithms... Not giving you mine!
https://lastpass.com/
http://xkcd.com/936/
I have sufficiently secure passwords that I see no benefit in changing just because.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
If you look at all the possible attack vectors and scenarios changing your passwords once a year change your statistical chances of being hacked or losing data very little. The ROI is low enough I wouldn't recommend changing your passwords on a regular schedule.
Picking good (as in hard to crack) passwords is more important. For random web properties using different passwords for each so when one is compromised and caught storing passwords in plain text only one account is compromised is key.
However, that's all not what I want to talk about. This entire question is the result of a huge failure of the industry. Every web site uses a password. Every one has a different idea of what a "good" password is, meaning if you come up with one (or use a generator) it won't always be allowed. Google has taken a step forward with their two factor options (via say, a cell text) but that's not really a practical option for many small web sites.
This is an excellent case for a PKI. Users should generate a public-private key pair, and provide the public key to the web site upon sign up. Extra authentication steps could be done at setup (web of trust a la PGP, known entities, a la X.509, callback texts, whatever). Users would sign a login blob with their private key to authenticate.
Using the same key for many web sites is much less dangerous. Compromising the web sites, and all the public keys, gets the attacker approximately nothing. They can be stored in plain (unencrypted) format on the web server. The only attack is to get the users private key, which can be encrypted on their machine behind passwords, biometrics, or whatever. Getting one user's private key gets you only one user, it's a low value attack.
What's needed is a standard format for this encrypted exchange, and then support by clients (from web browsers to ssh clients) and their corresponding server services. This is where the industry is letting us down.
If the big 15-20 web properties could get together with the big 4 browsers and make this happen it would be huge leap forward.
Far too many websites actually DO store the password (because they're idiots)
To whoever stole my account, please give it back.
That's exactly what I was thinking. For any site that maters, the most they can do is reset it for you, not tell you what it was. Most sites just don't matter. Other than your Karma, how much damage can be done when they hack your Slashdot password?
But I gotta ask, Why bother changing every year?
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
Those hovering over your shoulder to catch one key today and the next key tomorrow should be pretty obvious after a year, don't you think?
The key loggers would have found you long before the year is up, and the timing routines can be outfoxed by simply typing with only one finger, a different
finger each day.
Most sites that force you to change do so more frequently than a year. And 99.44% of them end up having users simply adding ascending digits
to the key, which becomes pretty easy to guess.
Sig Battery depleted. Reverting to safe mode.
My password files just look like this:
/dev/random.
user: damnstupidelf
pass: glintprickjuliatrunkwouldexcelhymnallearhopbloat
first girlfriend: razeblazetrudytdmoltnobitalysankassetzd
high school: actsdrurybyrneavailprofit'llsjmeaddrawpave
some_other_weakest_link_in_site_security_question: alleysandalohmichead60fendweighhamlinwillstout
I sign up for site accounts using email addresses at random domains that will expire soon. No chance of plaintext password-reset emails being sent out and intercepted unless the site uses a non-SSL third party relay.
The password files are symmetrically encrypted with a passphrase that isn't used anywhere else. Long diceware passphrases are immune to rainbow tables, dictionary and brute force attacks, and rubber hose cryptanalysis (I can't remember them), although some worthless sites limit the length of password form fields (shouldn't the site salt and hash passphrases to a fixed number of bits immediately, thus negating the need to limit the length? Yes.) and I have to revert to uuencoding 16 bytes from
The password files are on an encrypted partition using an ephemeral key on a netbook and there's a generator for power outages longer than a couple hours. Alt-SysRq-B has been modified to wipe RAM before rebooting. I hooked up a USB heart monitor as an actual deadman switch to use when I sleep.
NO ONE is getting my WoW forum credentials.
XKCD on password security.
http://xkcd.com/936/
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
I keep my passwords safe by not bragging about my selection strategies on slashdot.