Helping people with computers... one answer at a time.
Changing passwords periodically is the conventional wisdom. I question it, and then discuss a periodic password change can even happen reliably.
I read many articles, including on Ask Leo!, that recommend you should change your passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.
Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. However, this would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.
The problem is that, unless you get into a good routine, much like doing data backups, password changes will only get done sporadically, if at all.
Do you have a view on how to build such a good routine?
•
As you say, routines for things like this are difficult to set up, and if not automated, are easily forgotten. Automation may be the answer in many cases, but it's not always available - at least not in a convenient form.
But before we even get to that I want to talk about that "change your password periodically" rule of thumb. I think I'm about to change my mind on it.
•
Conventional wisdom is that you should change your password every so often.
When I sat down to think about why, I couldn't come up with a good reason.
There's nothing, really, about the age of a password that makes it necessarily lose its quality over time.
The vast majority of password-based hacks are due to weak passwords, sharing passwords when you shouldn't, and technology-based compromises like viruses or keyloggers. They get your password right now, without regard to its age. Whether you changed it yesterday or last year these compromises simply get your current password.
And, as I said, these are probably the most common forms of password theft.
Periodically changing your password can add a small layer of security to avoid some less common threats: someone stealing an old database of accounts and passwords, perhaps, or finding your notebook from last year where you'd scribbled your passwords down. I'm not really making fun, these kinds of things can and occasionally do happen, just not nearly as often as the more common compromises above.
So my thinking on the priority of things you can do to keep your account safe with respect to your password would be:
-
Choose a good password. If I had to guess I'd say that password guessing leads to more compromises than anything else.
-
Tell no one. This is something that surprised me after starting Ask Leo! - people that shouldn't share passwords frequently do share passwords. Then they're surprised when their friend is no longer their friend or their spouse is no longer their spouse and suddenly their email, Facebook or other account is compromised.
-
Don't write it down. Yes, make it a good password, but make it something that you can remember so that you don't have to write it down.
-
Remember that changing your password is not enough if your account gets compromised.
-
Change your password once in a while.
And I'll admit it here publicly: I use about 5 type-in passwords (along with some completely obscure passwords that I never type - like 'ir8zD16vBdtqr5L' - which are remembered only by RoboForm). The oldest and 'least secure' password I actually type in is at least 15 years old. The newest and most secure, perhaps only 2. Years. And yes, it's about time for me to dream up a new "most secure" password, and start the slow process of transition as I have time.
So, how to automate it?
The only blanket approach I can think of is to simply set a reminder in your calendar, and do it. Problem is that changing your password on all your accounts (I have something like 350 in RoboForm alone) just isn't practical, and as a result - we skip it.
Using technology is the other approach, and there are systems - including Windows itself - that can be configured to require that you change your password according to a set schedule. The problem here is that, by far, most password-requiring systems don't include this type of functionality. The major free email providers, for example, do not.
So I don't really have a good solution on "building a good routine" as you put it.
But as you can see, I've also come to the conclusion that perhaps that routine isn't really as important as we've been lead to believe.
If I've missed something, by all means leave a comment. Password management is too important a topic not to make sure that these kind of assumptions are correct.
I'll end this with an example story I've seen happen, and overheard again recently in an episode of Security Now!:
A company had configured its Windows logins to require a new password every certain number of days (30, 60 or 90 days seems to be common, I'll say 30 for example's sake). It had also configured the system to require that you not be able to re-use the last 5 passwords - you had to come up with a new one each time.
So one individual, every 30 days, would change his password 6 times in succession so that his current password would be forgotten by the system and he could use it again.
Yes, he changed his passwords 6 times in a row, so that he could keep his favorite password unchanged.
Users can be ... innovative ... at getting what they want.
Article C4294 - May 4, 2010
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
(1) I tend to think that the frequency with which one should change a password should be directly proportional to the importance of what it protects.
(2) Using the same password for everything is very dangerous because, if someone guesses it or somehow obtains it, now they have access to your everything. I don't even use the same user name for everything. Every account gets a different user name and a different password, especially financial stuff. That way one cannot even tie ownership across "domains"
(3) I don't use easy to remember passwords for anything except my password manager and for that I have one not even my mother would guess. All other passwords are totally random.
(4) Back to the importance of what a password protects, I don't consider how often I access an account is not a factor. What I think is "if someone cracked security and obtained this or that entities passwords, how long do I want to give them to get raid my account". The answer to that determines how often I change my password. High balance accounts, one a week. Web based eMail accounts, rarely.
Posted by: Carlos Coquet at June 25, 2010 10:52 AMI appreciate your thoughts on changing passwords Leo. I teach technology and among the my classes is a 2 hour class on Internet Security. I've also been thinking about the reasoning behind changing passwords and like you, I couldn't think of any strong reasons to include that practice in my class.
Here are a few good articles on the current state of passwords.
Bruce Schneier spends a lot of time thinking about security & passwords. He's also the creator of a free, open source password manager called Password Safe. Although this article goes back to 2007 it really opened my eyes to the automated side of password cracking.
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
This article is from the Carnegie Melon School of Computer Science about choosing good passwords and includes a couple of interesting techniques to do it.
http://www.cs.cmu.edu/~help/security/choosing_passwords.html
A recent article by Georgia Tech Research Institute (GTRI) about new hardware developments that could alter password security:
http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
And a CNN article about GTRI & their research that includes additional information:
http://www.cnn.com/2010/TECH/innovation/08/20/super.passwords/index.html
Dave (at) TechTeachToo.com
Posted by: Dave at August 21, 2010 3:46 AMI've recommended this title before, and I'll recommend it again:
Though perhaps a tad outdated (it was written five years ago) it is still very relevant, and will answer all your questions not only about the "Why? of changing your password, but "How?" (the answer isn't necessarily the one you think it is!).
I should also note that, for some purposes an insecure password may be appropriate. Sometimes you only want to keep an honest person honest, not "out". For example, the computer I'm typing this on is shared between my mother and I, and I carefully keep our Windows accounts separate. But my own Windows password is intentionally VERY weak -- just five lowercase letters -- so that if I were to croak tomorrow, my Mom could hire a guru friend of ours who will no doubt download some program that should be able to break it easily. It's one of the very few occasions where I rely on an intentionally weak password. (Even apart from the concern just noted, there is simply no need for a strong password in this case -- no one uses the computer but the two of us, and who is snooping, the NSA? On those occasions where I really do want to keep some file private, I use encryption -- which does use a strong password.)
Posted by: Glenn P. at September 5, 2010 9:45 AMLeo --
I'm troubled by your stubborn insistence on one particular Password Manager (i.e., Roboform). Granted, it's the one you use and are happy with; but there are also hundreds of others, and there are also hundreds of other users who are just as happy with those other hundreds of other Password Managers. How about a page listing some of those readers' favorites, and not just yours, for a change...?
It's my idea, so I'll go first: I happen to like KeePass, currently in Version 2.12:
Enjoy! :)
09-Sep-2010
Posted by: Glenn P. at September 5, 2010 10:23 AM
Passwords, etc. Being a non-geek with a simple mind, I keep a small thin address book which hides unobtrusivly close by, and list user names and PW alphabetically. Any changes to PW's are duly noted.
But just for fun I use an open source program "HideInpicture" (@ SurgeForce). A person can hide data within a photo (in many formats ) which requires a password. Just thought this was worth a mention. Can you say "Secret Agent"? Just remember to store PW changes to the photo.
Posted by: GREG JACKSON at December 20, 2010 7:16 PM