Results 1 to 7 of 7
  1. #1
    Lounger
    Join Date
    Apr 2002
    Location
    Polk City, Florida, USA
    Posts
    31
    Thanks
    3
    Thanked 4 Times in 2 Posts

    Why change your password(s) regularly?

    Every password management article I've read advises you to change your password(s) regularly. Why? The only scenario I can see where this is of any value is one in which your password(s) have been exposed. Absent exposure, if you're using strong, complex passwords, the only way they'll become compromised is via a determined and successful decryption attack, which, using generally available technology, could take eons. If the attacker is in the middle of a long run, the next password to try could well be your current password, but if you change it, you can't be sure that a subsequent try won't be your new, changed password. And if you've got a LOT of strong, complex passwords, changing them all could take days. In fact, I have password-protected accounts on some sites where there is no obvious way to change a password or to delete the account altogether. Seems like the cost/benefit ratio here is unreasonably high.

    But if I had had a password-protected Target account recently, I would certainly change that password, but that wouldn't encourage me to change all my other passwords.

    I do worry about my Roboform master password being compromised, thus exposing my 800+ strong, complex, managed passwords. But it's fairly easy to keep track of that password and change IT if there's any hint of it having been exposed. But just changing it now and then, while practical, seems of little value.

    What am I missing here?

  2. #2
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,736
    Thanks
    7
    Thanked 241 Times in 229 Posts
    I agree. If you are using strong passwords in the first place there is no benefit in changing them regularly. There is more chance of a poorly designed web site leaking your password and data than a strong password being compromised. The only exception I can see is your banking password if you happen to be particularly paranoid.

    cheers, Paul

  3. #3
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,838
    Thanks
    88
    Thanked 347 Times in 312 Posts
    The best that can be said for the insistence of enterprise auditors that passwords must be changed every 90 days is that it discourages users from sharing passwords.

    But it comes with a huge cost of decreasing complexity of passwords used and/or in wasted time when those passwords are frequently forgotten and need to be reset.

    Bruce

  4. #4
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,736
    Thanks
    7
    Thanked 241 Times in 229 Posts
    But the auditors insisted.......

    cheers, Paul

  5. #5
    4 Star Lounger access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    568
    Thanks
    51
    Thanked 42 Times in 39 Posts
    If people have to change their passwords so frequently, won't they just change one character at the end? My work password was e.g. passworda, then passwordb and so on. It didn't take long to find the password if I forgot it (say after some leave).

    What I found slightly bemusing, when they introduced a password manager, we weren't allowed to keep system passwords in it - but they tended to be so random they would be written down (or put in a spreadsheet called - passwords.xls ). And the system passwords were never changed.....

  6. #6
    3 Star Lounger
    Join Date
    Mar 2010
    Location
    USA
    Posts
    252
    Thanks
    46
    Thanked 32 Times in 25 Posts
    @BruceR, access-mdb, re frequent password change and its unintended consequence, I agree totally.
    <Do we change our door keys every 90 days?> Hey, our door is totally exposed to all elements too.

    Soon we'll run out of ideas on memorable passwords. Soon we'll have yellow stickers back on monitors. Soon the future 30% senior population would break down the tech support systems.
    Soon we'll run out of 'mothers' maiden names', 'Birth city names', and our brothers' names are John, Paul, George, Ringo, ...

    Soon, the hack with it, we'll have mechanical key and key hole in our laptop, tablet, cell phone, and yes, Google glass and Google watch. Maybe hearing aids too.
    And very soon, the key is as big as our present car keys. Soon the pocket of our pants has holes. Soon, the 5-lb key chain activates airport detector system endlessly. Soon we'll be restricted to 3-oz (!) key chain in airport.

    And very soon, bio-key equipped device owners would lose their eyes and fingers to robbers ...
    Maybe we'll then start using our toes ...

  7. #7
    3 Star Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    395
    Thanks
    36
    Thanked 15 Times in 15 Posts


    I had not thought of the point that changing passwords regularly would discourage sharing but it would also be a valid critique that that when passwords are changed often one is more likely to forget and need to borrow, catch 22.

    I have always felt a mandated password change (like I have @ work) is counter productive. I have a long nonsense phrase that gets a regular modefication when needed.







Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •