But how serious is the problem?
on
Too Many Passwords
·
· Score: 2, Insightful
What I'm wondering, in connection with the requirement by many companies that passwords be changed regularly, is this: is there any empirical evidence as to how much password hacking actually occurs, and whether this policy has any real effect? By "password hacking" I mean anything other than theft of the actual password files housed by the authenticating system.
Because unless someone has stolen your password from another source (like the authenticating system itself, in which case changing the password regularly has no effect), changing passwords just provides another opportunity for your password to be written down and then lost/stolen. The fact that most people write the password down somewhere in the vicinity of their computer makes this even worse.
And changing passwords can't prevent brute force attacks, which rely on running through multiple combinations automatically.
(By the way, anyone want to guess how unlikely it is that bad guys will try to figure out your password by determining your dog's name and your birthday, or whatever silly mnemonic device you've converted into a password? Bruce Schneier calls some bad terrorism response plans "movie plot" scenarios because they are responding to things that only occur in movies, not real life. Although the movie scene with someone breaking into someone's computer by reasoning out what the person would use as a password is ubiquitous, does this really happen?)
Finally, the other justification for this policy of having ever-changing passwords is that if someone does get access to your password, it will either be outdated already or will become outdated. But how many situations does this really cover -- and how much of a help is it if you are not scheduled to change your password until 2 months later (now, a password that changed every day or every minute would be a different story -- oh, wait, isn't that encryption?)? And even it it helps somwhat, does that outweigh the risk of having employees post their passwords next to their computer?
Know what these policies may really represent, at least in some instances? Businesses trying to make it appear that they are putting security into place, when it's really just a fig leaf.
Slashdot Mirror
What I'm wondering, in connection with the requirement by many companies that passwords be changed regularly, is this: is there any empirical evidence as to how much password hacking actually occurs, and whether this policy has any real effect? By "password hacking" I mean anything other than theft of the actual password files housed by the authenticating system.
Because unless someone has stolen your password from another source (like the authenticating system itself, in which case changing the password regularly has no effect), changing passwords just provides another opportunity for your password to be written down and then lost/stolen. The fact that most people write the password down somewhere in the vicinity of their computer makes this even worse.
And changing passwords can't prevent brute force attacks, which rely on running through multiple combinations automatically.
(By the way, anyone want to guess how unlikely it is that bad guys will try to figure out your password by determining your dog's name and your birthday, or whatever silly mnemonic device you've converted into a password? Bruce Schneier calls some bad terrorism response plans "movie plot" scenarios because they are responding to things that only occur in movies, not real life. Although the movie scene with someone breaking into someone's computer by reasoning out what the person would use as a password is ubiquitous, does this really happen?)
Finally, the other justification for this policy of having ever-changing passwords is that if someone does get access to your password, it will either be outdated already or will become outdated. But how many situations does this really cover -- and how much of a help is it if you are not scheduled to change your password until 2 months later (now, a password that changed every day or every minute would be a different story -- oh, wait, isn't that encryption?)? And even it it helps somwhat, does that outweigh the risk of having employees post their passwords next to their computer?
Know what these policies may really represent, at least in some instances? Businesses trying to make it appear that they are putting security into place, when it's really just a fig leaf.