Results 1 to 7 of 7
  1. #1
    Lounger
    Join Date
    Apr 2002
    Location
    Polk City, Florida, USA
    Posts
    30
    Thanks
    3
    Thanked 2 Times in 1 Post

    Why change your password(s) regularly?

    Every password management article I've read advises you to change your password(s) regularly. Why? The only scenario I can see where this is of any value is one in which your password(s) have been exposed. Absent exposure, if you're using strong, complex passwords, the only way they'll become compromised is via a determined and successful decryption attack, which, using generally available technology, could take eons. If the attacker is in the middle of a long run, the next password to try could well be your current password, but if you change it, you can't be sure that a subsequent try won't be your new, changed password. And if you've got a LOT of strong, complex passwords, changing them all could take days. In fact, I have password-protected accounts on some sites where there is no obvious way to change a password or to delete the account altogether. Seems like the cost/benefit ratio here is unreasonably high.

    But if I had had a password-protected Target account recently, I would certainly change that password, but that wouldn't encourage me to change all my other passwords.

    I do worry about my Roboform master password being compromised, thus exposing my 800+ strong, complex, managed passwords. But it's fairly easy to keep track of that password and change IT if there's any hint of it having been exposed. But just changing it now and then, while practical, seems of little value.

    What am I missing here?

  2. Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,619
    Thanks
    7
    Thanked 231 Times in 219 Posts
    I agree. If you are using strong passwords in the first place there is no benefit in changing them regularly. There is more chance of a poorly designed web site leaking your password and data than a strong password being compromised. The only exception I can see is your banking password if you happen to be particularly paranoid.

    cheers, Paul

  4. #3
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,774
    Thanks
    83
    Thanked 340 Times in 307 Posts
    The best that can be said for the insistence of enterprise auditors that passwords must be changed every 90 days is that it discourages users from sharing passwords.

    But it comes with a huge cost of decreasing complexity of passwords used and/or in wasted time when those passwords are frequently forgotten and need to be reset.

    Bruce

  5. #4
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,619
    Thanks
    7
    Thanked 231 Times in 219 Posts
    But the auditors insisted.......

    cheers, Paul

  6. #5
    4 Star Lounger access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    522
    Thanks
    50
    Thanked 39 Times in 36 Posts
    If people have to change their passwords so frequently, won't they just change one character at the end? My work password was e.g. passworda, then passwordb and so on. It didn't take long to find the password if I forgot it (say after some leave).

    What I found slightly bemusing, when they introduced a password manager, we weren't allowed to keep system passwords in it - but they tended to be so random they would be written down (or put in a spreadsheet called - passwords.xls ). And the system passwords were never changed.....

  7. #6
    3 Star Lounger
    Join Date
    Mar 2010
    Location
    USA
    Posts
    247
    Thanks
    44
    Thanked 32 Times in 25 Posts
    @BruceR, access-mdb, re frequent password change and its unintended consequence, I agree totally.
    <Do we change our door keys every 90 days?> Hey, our door is totally exposed to all elements too.

    Soon we'll run out of ideas on memorable passwords. Soon we'll have yellow stickers back on monitors. Soon the future 30% senior population would break down the tech support systems.
    Soon we'll run out of 'mothers' maiden names', 'Birth city names', and our brothers' names are John, Paul, George, Ringo, ...

    Soon, the hack with it, we'll have mechanical key and key hole in our laptop, tablet, cell phone, and yes, Google glass and Google watch. Maybe hearing aids too.
    And very soon, the key is as big as our present car keys. Soon the pocket of our pants has holes. Soon, the 5-lb key chain activates airport detector system endlessly. Soon we'll be restricted to 3-oz (!) key chain in airport.

    And very soon, bio-key equipped device owners would lose their eyes and fingers to robbers ...
    Maybe we'll then start using our toes ...

  8. #7
    3 Star Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    343
    Thanks
    34
    Thanked 14 Times in 14 Posts


    I had not thought of the point that changing passwords regularly would discourage sharing but it would also be a valid critique that that when passwords are changed often one is more likely to forget and need to borrow, catch 22.

    I have always felt a mandated password change (like I have @ work) is counter productive. I have a long nonsense phrase that gets a regular modefication when needed.







Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •