Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Lessons from the recent RSA security conference




    ON SECURITY

    Lessons from the recent RSA security conference

    By Michael Lasky

    The ongoing fight against malware infections is waged on many fronts, as was made clear at this year's RSA conference, held last month in San Francisco, California. But the best practices for protecting ourselves from online treat remains much the same: maintain strong passwords and be careful what you click.

    The full text of this column is posted at WindowsSecrets.com/on-security/lessons-from-the-recent-rsa-security-conference/ (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,745
    Thanks
    171
    Thanked 648 Times in 571 Posts
    Ideally, you should change critical passwords every three months.
    But no one can ever explain why.

    Is it to thwart the hacker who's been trying to crack my password for 2 months 29 days?

  3. #3
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    I think its for the case where hacker has obtained your password from someplace like a website Security breach unbeknownst to you.

    Jerry

  4. #4
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,745
    Thanks
    171
    Thanked 648 Times in 571 Posts
    Quote Originally Posted by jwitalka View Post
    I think its for the case where hacker has obtained your password from someplace like a website Security breach unbeknownst to you.
    ... and has chosen not to use it for up to three months?

  5. #5
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    They could be using it at any time without your knowledge. I don't use this rule myself. I'm just speculating on why its recommended by some.

    Jerry

  6. #6
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,745
    Thanks
    171
    Thanked 648 Times in 571 Posts
    ... as they could be on day one of your new password.

  7. #7
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    Not if they got the password from a security breach. Nothing is perfect.

    Jerry

  8. #8
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,745
    Thanks
    171
    Thanked 648 Times in 571 Posts
    Something rules out a security breach after you change a password?

  9. #9
    jwoods
    Guest
    Quote Originally Posted by jwitalka View Post
    I think its for the case where hacker has obtained your password from someplace like a website Security breach unbeknownst to you.

    Jerry
    It's been "at least every three months" for over 20 years.

    In several companies I've done work for, it was a forced change (policy) every 30 days.

    Depends on the environment.

    With password managers almost ubiquitous, it's not that big of a deal to change a password anymore.
    Last edited by jwoods; 2015-05-07 at 18:53.

  10. #10
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    I'm referring to the several computer breach's at places like Target where User IDs and passwords have been stolen. Its not a perfect defense but if your password is changed (even though you may not be aware of the breach) before its sold, it may block access to your account(s).

    Jerry

  11. #11
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,397 Times in 1,220 Posts
    I think the most important rule right now, about online passwords, is never to use the same password for a different website. Ever. That makes breaches rather irrelevant, in terms of accessing other accounts from the same user.
    Rui
    -------
    R4

  12. The Following User Says Thank You to ruirib For This Useful Post:

    jwitalka (2015-05-07)

  13. #12
    jwoods
    Guest
    Quote Originally Posted by jwitalka View Post
    I'm referring to the several computer breach's at places like Target where User IDs and passwords have been stolen. Its not a perfect defense but if your password is changed (even though you may not be aware of the breach) before its sold, it may block access to your account(s).

    Jerry
    If the hackers own your servers, it won't matter how many times you change passwords.

  14. #13
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    In the Target data breach, the Hackers penetrated Target's servers and the breach was repaired. The User Ids and passwords remain for sale today. There are several other cases.

    Jerry

  15. #14
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    Quote Originally Posted by ruirib View Post
    I think the most important rule right now, about online passwords, is never to use the same password for a different website. Ever. That makes breaches rather irrelevant, in terms of accessing other accounts from the same user.
    I fully agree with this. This discussion about changing passwords on a regular basis is rather pointless. I was just trying to point out a rational for it. It doesn't cover many cases and is just a tiny extra layer of protection that I personally don't use. I'm done commenting on it.

    Jerry

  16. #15
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,484
    Thanks
    283
    Thanked 572 Times in 476 Posts
    Brian Krebs' blog section on data breaches is worth reading.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •