Broadband Tech > Security > Security > Please don't change your password.

Please don't change your password.

Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly computer attacks often exact a much steeper price in the form of user effort and time expended.

“Most security advice simply offers a poor cost-benefit trade-off to users,” wrote its author, Cormac Herley, a principal researcher for Microsoft Research.

Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
--
YOU can help reduce poverty, sustainably.
»www.kiva.org/lender/kenandart

While I can agree with a lot said in this article, I am not sure about the rest.
==========================
Microsoft encourages its researchers to “push against fixed beliefs, even when some of the ideas can be controversial,” he said. And from outside Redmond, Wash., he added, “the reaction has been tremendous.”

“Maybe I’m just saying out loud what is rather obvious — we seem to be causing lots of unnecessary misery.”
===========================

"We seem to be causing lots of unnecessary misery"? Making changes in passwords hasn't seemed to be a lot of misery to me but I do believe in pusing against fixed ideas. Without doing so, there would never be change in anything, security of otherwise.
--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay

reply to koam
This confirms the 2004 Wall Street Journal report that frequent password changing just leads most employees to put a post-it under their keyboards.
»www.fortinet.com/news/media/WSJA···2004.pdf

reply to koam
i've never changed my passwords unless required to, in my case, usually a grumpy ex

in reality been using the same passwords for 5+years atleast without incident

reply to StepR

reply to koam
On the one system I use that requires frequent password changes, I just use an easy - to - remember - and - not - very - secure password. It is not worth me making the effort to come up with a good password, when I will soon have to change it anyway.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.5.9

reply to koam
I had a job where the password had to be changed every month (12 times a year) and the password can be used again for another year. Working at the help desk, it became Hell Desk every single month, especially when we had the SAME users calling they forgot their password tripped up on it. Thankfully, they wisely change their policy to where it will change every 90 days.
--
Illegal aliens have always been a problem in the United States. Ask any Indian. Robert Orben

reply to koam
I've been using "123456" for everything... OOPs! I guess i'll have to change it now

reply to koam
Few points to make:

* Yes, its better to choose complex passphrases and NOT to change them - than to change passphrases and end up having easy passphrases or complex passphrases in stick-it-notes.

* One can pretty securely use the same passphrase in several non-critical internet apps, but for frak sake, dont ever use the same passphrase on critical apps (like email, banking, etc.)!

* To overcome the password problems, using features such as Mozilla or Operas passphrase storage is a good idea (as long as it is locked behind complex master passphrase), but its even better to use applications like KeePass PasswordSafe (with keyfile functionality as added security). If you cannot use such or concider it too complex, even using stick-it-notes or other piece of paper MIXED with remembered passphrase is much better than simply not using any kind of "helpers" to the password nightmare.

* Companies, software developers and users who do not understand the real meaning and security of various passphrase systems and dont bother to think about them are ignorent, stupid, or both. Some passphrases dont really matter at all, some are very important and some are essential to keep secure. Loosing your passphrase to some common internet-forum isnt a big deal, but if you loose your Truecrypt passphrase, then you are in bigbig trouble.

* Always remember, that if you think that an attacker can get a keylogger installed onto your computer or otherwise control it to capture you passphrases, it doesnt really matter what password managers etc. you are using, you have already lost the game.

BTW. Why dont various providers (www-based email, discussion forums, Facebook, etc. etc.) have two-passphrase-system in place? You know, ONE passphrase used to sign in and use the system and SECOND passphrase to manage the system/accounts. This would very effectively eliminate the dangers of someone grapping your "regular" passphrase, since you could simply use your "master" passphrase to reset your "regular" passphrase etc. etc. Today its a serious problem if someone graps your, lets say, Google passphrase, since by using that, they can gain access to ALL the data and also change all that data, including your passphrases.

reply to WotsaPaswurd

said by WotsaPaswurd :

I've been using "123456" for everything... OOPs! I guess i'll have to change it now

reply to Boricua65

reply to koam
The policy of forcing users to constantly change passphases encourages use of trivial passphase since each of us has to manage dozens if not hundreds of passphases.

A better policy it to encourage cryptographically strong passphases but not require they be changed on a regular basis.

Even cryptographically weak passphases are not much of a risk on the Internet since an attacker will get locked out after a few incorrect attempts. Where they are critically important is to protect against instances where the attacker is able to record a transaction (aka WiFi) or steal your laptop and attack at their leisure.

/tom

reply to Msradell

reply to koam
If it is a local system i do not think it is hard to crack the password.

reply to koam
Can I get an Amen.

"You need to change your password."

Ok, here we go.

"Password invalid: Some of the characters match characters in your username. This is not allowed."

"Password invalid: Some of the characters are invalid. This is not allowed. Please user letters A-Z and 0-9 only."

"Password invalid: Some you have a repeating series of characters in your password. This is not allowed. Please enter a different password."

"Password invalid: Your password is 9 characters. This is not allowed. Please enter a minimum of 16 characters."

Now answer various security questions, pick a visual icon, etc etc

By the time they are done you will never ever be able to login to that site again!
--
"Fascism should more properly be called corporatism because it is the merger of state and corporate power." -- Benito Mussolini

reply to Oleg

said by Oleg:

said by WotsaPaswurd :

I've been using "123456" for everything... OOPs! I guess i'll have to change it now

Too late i have taken over your e-mail accounts and your online banking

System error in valid password

reply to StepR

reply to Kayrac