| Why do websites require changing the password every so often ??
I can understand why websites that do not use SSL (HTTPS) require changing the password to my account every so often, but why do secure websites require changing the password every so often?
Thanks. |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 | Pick one:
1) because someone told them it was good practice
2) because most of their customers can't be trusted to look after their passwords properly (ssl only protects a password in transit) |
|
 BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2
 ·Frontier FiOS
| reply to anon dummy
An illusion of security, but it keeps people out of the habit of using the same password for all their services, however creates the more dangerous problem of people keeping these passwords far more insecurely like writing them down somewhere on their desk.
It's a constant problem for people working in businesses. Come back from vacation, and you might have totally spaced your last password. Being prevented from using previous passwords, even similar passwords. It honestly creates more local insecurity than anything else, looking for post-its under keyboards...
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent out necks before emperors. But today we kneel only to the truth- Kahlil G. |
|
| reply to anon dummy
Good security practice for any password is
- 6 - 8 char
- mix of letters, numbers, and special characters
- should not be readily crackable -- ie. a word from the dictionary
- is changed regularly
Guess how often this is violated?
Regards |
|
 aefstoggaflmOpen Source FanPremium
join:2002-03-04
Bethlehem, PA
kudos:2
 ·Verizon Online DSL
| reply to BlitzenZeus
said by BlitzenZeus:but it keeps people out of the habit of using the same password for all their services.
Which is why I love »www.grc.com/offthegrid.htm
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
 BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:2
·Frontier Communi..
| reply to anon dummy
It also puts a time-span boundary on attempts to machine-hack the password. The number of trial combinations a cracker can run through in, say, 90 days will be fewer than what he can run through over several years. More importantly, a cracker doesn't know for sure when the password time frame begins/ends for a given user's account. With that time uncertainty, a cracker can't know whether the failed combinations tried over the past week were run against the same password as is present today - so he can't build on history as reliably and can't zero in on the password as quickly by the process of elimination.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
TheMGPremium
join:2007-09-04
Canada
kudos:1 Reviews:
·TekSavvy DSL
| reply to HELLFIRE
said by HELLFIRE:Good security practice for any password is
- 6 - 8 char
- mix of letters, numbers, and special characters
- should not be readily crackable -- ie. a word from the dictionary
- is changed regularly
I disagree with the mix of numbers, letters, and symbols that seems to be so common.
Here's why:
Passwords with a mix of upper and lower case letters, numbers, and symbols, can be extremely hard to crack, but have the major disadvantage of being hard to remember.
A password consisting of three or more random words from the dictionary, however, can be both extremely hard to crack as well as easy to remember.
Let's take a 250,000 word dictionary for example (it is said by some sources there are as many as 1,000,000 words in the modern english language).
A password consisting of 3 randomly chosen words would have 15,625,000,000,000,000 (15.6 quadrillion) possible combinations.
For 4 random words that number would be 3,906,250,000,000,000,000,000 (3.9 sextillion).
Compare that with a password consisting of 8 completely random alphanumeric/symbols/mixed case characters, which has only 6 quadrillion possibilities. 8 completely random characters can be extremely challenging to remember, especially if you have several different passwords. |
|
BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:2 Reviews:
·Frontier Communi..
| The security of a password increases geometrically with the number of characters employed. 3 "random words from the dictionary" almost certainly will contain far more than 6-8 characters, so any increase in security is simply achieved by the addition of character count. Using words from dictionaries, while easier for a user to remember than random symbols, also provides a hacker (who understands the human tendency to use the familiar) convenient and fruitful starting points to attempt breaking such passwords - ie: dictionary attacks, which undercut the apparent security gained by increasing character count.
In the end, however, the length of passwords is often forced by website or software packages themselves. And, in the end, that's because of cost. It's simply been cheaper to develop/test code, store, and process shorter password data strings than longer strings, especially when legacy software and computer technology is factored in. Though the difference may be vanishingly small any more, inertia is an extremely powerful factor - particularly where development and overhead money is involved.
As always, it isn't so much that we don't how to apply good security, it's that we either don't wish the inconvenience or the cost added by good security. Blackbird's 1st Law of Security: Given the opportunity, convenience or cost will always trump security.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
|
|
 IanPremium
join:2002-06-18
ON
 ·Rogers Hi-Speed
1 edit | reply to HELLFIRE
said by HELLFIRE:Good security practice for any password is
- 6 - 8 char
- mix of letters, numbers, and special characters
- should not be readily crackable -- ie. a word from the dictionary
- is changed regularly
Guess how often this is violated?
Regards
I think that's a bit out of date. With a modern GPU's streaming capability, simple password hash systems (no salts or re-hashing systems) like Windows NTLM and MD5 can be brute-force attacked with a single modern video card at a rate of about 3 billion passwords per second. A 6 character password using all printable keyboard characters is breakable in at most, 4 minutes on a single machine. 7 characters in less than an 8 hour day. 8 is border-line prohibitive at just less than a month. And some attackers could be using a simple cluster of a few machines with multiple GPUs on each. Ten characters brings it up to centuries on a single GPU though.
As for changing it. That assumes that the password hash file is compromised and attacked on a regular basis. And if that is the case, passwords aren't the biggest security issue.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong |
|
 KilroyPremium,MVM
join:2002-11-21
Ann Arbor, MI | reply to anon dummy
To give the illusion of security.
In reality it causes more "I forgot my password" requests. Which rely on insecure answer this easy to source question that we use to ensure that you are you or sending an e-mail to an account that you don't have to change the password.
--
When will the people realize that with DRM they aren't purchasing anything? |
|
KilroyPremium,MVM
join:2002-11-21
Ann Arbor, MI | reply to Ian
said by Ian:said by HELLFIRE:Good security practice for any password is
- 6 - 8 char
- mix of letters, numbers, and special characters
- should not be readily crackable -- ie. a word from the dictionary
- is changed regularly
Guess how often this is violated?
Regards
I think that's a bit out of date. It is massively out of date. Anything shorter than a 13 character password cannot be considered secure and then only if you are using upper and lower case letters, numbers, and symbols. That goes up to 17 characters if you are only using a single case of letters. Length is more important than strength.
The problem is most password requirements do not recognize this and insist on short more insecure passwords and frequently requiring you change them frequently leads to them being written down. It doesn't matter if the words that make up your password are in the dictionary, provided you put enough of them together. This is why pass phrases are more secure.
The problem is that a lot of places that require a password set a limit on how long it can be. So, they make you use Hail2uv! instead of Hail to the Victors!. So, instead of having an insecure eight character password with all of the possible character types you can't use an easy to remember ultra secure 20 character password that only uses three of the four character types.
People don't understand that guessing a password is not like playing master mind. You either have it right or you have it wrong, you don't know that character one is correct, character two is the wrongs case, character three is a number, and so on. The longer your password is, the longer it takes to crack as each additional character increases the number of possible passwords by the previous amount times the number of possible characters.
--
When will the people realize that with DRM they aren't purchasing anything? |
|
 TrelGood EveningPremium
join:2002-10-08
Hillsborough, NJ | reply to HELLFIRE
said by HELLFIRE:Good security practice for any password is
- 6 - 8 char
- mix of letters, numbers, and special characters
- should not be readily crackable -- ie. a word from the dictionary
- is changed regularly
Guess how often this is violated?
Regards
Anyone who knows anything about how computers work will tell you that's a horrible security practice. I think it may have been mentioned, those are the type of passwords that computers can crack, and people can't remember.
Sentences or random combinations of words (for length) is much more secure.
--
/chown -R us:us /yourbase |
|
IanPremium
join:2002-06-18
ON Reviews:
·Rogers Hi-Speed
| reply to Kilroy
said by Kilroy:It is massively out of date. Anything shorter than a 13 character password cannot be considered secure and then only if you are using upper and lower case letters, numbers, and symbols. That goes up to 17 characters if you are only using a single case of letters. Length is more important than strength.
Well, yes and no. I mentioned that there are techniques that make even trivially short passwords much harder to brute force. They just aren't universally implemented.
One of the simplest is Salting. This is adding one or more random strings of characters to the beginning and/or end of a user's password prior to creating the authentication hash that is stored locally.
So if my password is "puppy", which is obviously monstrously insecure to a brute force or dictionary attack, a normal Windows NTLM hash to attack would be; 4a827896abc4195de0ba68d1357a07d4 . Cain and Abel, a GPU based system, or JTR would uncover it in minutes if not seconds.
If, on the other hand, my authentication system added a random salt before hashing with something like SHA-512, the hash to attack becomes something like (SHA-512) gwl1H}Y^d@@6nUzUKH>w*LU7ghp^}utx!y5H(s*{rXj'puppy. An almost ludicrously secure 44 character password to the user's to calculate hashes for. Hash to attack is...
15d48a5e2058de257bdb29665c5af7bf13efb7f2b531638514f8062d47092ae3d5c4ab0bada994072b adbcb7b33722a5398880bcb0f540f90d83b30b47e0205d
And how the attacker obtained the hash files is another important topic. If it itself is secured and encrypted....
Lots of luck brute-forcing that. The vulnerability of salting is that the salt becomes known. So if it's an inside job, that could happen. How it is salted can be a matter of creativity. It could involve the same random string, or a mathematical transformation of a different unique piece of data, like the user's time/date stamp of record creation.
Second method is re-hashing. A GPU attack relies on the previously mentioned 3 billion guesses/sec per GPU. If I hash the password once, a brute force attack on a 6 digit password takes, on average a couple minutes. But if I perform the hash function on a password iteratively "X" number of times, the computation time to brute force increases by a factor of X. 2 minutes becomes 2000 minutes if X=1000. 4 hours for a 7 digit password becomes 4,000 hours. 14 days for 8 digit becomes 38 years. Yet even with a CPU rather than GPU performing the function on a server side, the re-hashing would take less than a millisecond to authenticate. And if "X" is not known by the attacker, it is even far more secure.
Combine the 2 methods and even idiotic passwords become very secure to brute-force, dictionary, or Rainbow Table attacks.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong |
|
KilroyPremium,MVM
join:2002-11-21
Ann Arbor, MI | said by Ian:One of the simplest is Salting. This is adding one or more random strings of characters to the beginning and/or end of a user's password prior to creating the authentication hash that is stored locally. Salting and hashing only applies to the server side storage of the password. Brute forcing, normally, applies to guessing the password by trying all possible combinations and a weak password is still a weak password.
If you are using salting and hashing on your password of "puppy" then puppy is not longer your password, the salted hash is So, typing in puppy will result in an incorrect password. Your logic is faulty.
--
When will the people realize that with DRM they aren't purchasing anything? |
|
IanPremium
join:2002-06-18
ON Reviews:
·Rogers Hi-Speed
| said by Kilroy:said by Ian:One of the simplest is Salting. This is adding one or more random strings of characters to the beginning and/or end of a user's password prior to creating the authentication hash that is stored locally. Salting and hashing only applies to the server side storage of the password. Brute forcing, normally, applies to guessing the password by trying all possible combinations and a weak password is still a weak password. If you are using salting and hashing on your password of "puppy" then puppy is not longer your password, the salted hash is So, typing in puppy will result in an incorrect password. Your logic is faulty. No. Most brute-force attacks occur off-line on the password hashes, not some automated way of "typing in" a user password from the client side. This is because of the lock-out systems that all but the exceptionally stupid authentication methods use. As in if a wrong password is tried "Z" times in a row, where Z is a small number like 5, the user's account is locked, or timed-out for a while.
If my bank employs salting, my password to get into my account is still "puppy". It just means that when I key in puppy, the bank on the server side adds the salt to it, performs the MD5, SHA-512, or whatever hash function on that (however many times) and compares that number to the one that they have associated with my user account. If it matches, then puppy was the correct password. And if not, the bank isn't going to let me try a few billion more from my side.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong |
|
 HA NutPremium
join:2004-05-13
USA | reply to anon dummy
Constantly changing passwords to keep things "safer" does not make sense to me (for several reasons.)
Make the passwords lengthy (they could still be something easy to remember) and limit the number of times a hacker could try to discover them over a given time period. |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
·AT&T U-Verse
| reply to anon dummy
said by anon dummy :..., but why do secure websites require changing the password every so often?
Here are some possible reasons:
1: "They" are sadists;
2: "They" are highly trained security "experts", but their training is for manual systems rather than the internet.
3: "They" are clueless.
Come to think of it, all of the above might apply.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 9.0.1 |
|
KilroyPremium,MVM
join:2002-11-21
Ann Arbor, MI | reply to Ian
said by Ian:No. Most brute-force attacks occur off-line on the password hashes, not some automated way of "typing in" a user password from the client side. Again, if this is the case the problem is that the server has been compromised and your password is the least of your worries and has nothing to do with password length, strength, or change frequency. Password length, strength, and change frequency are all factors in how long it takes to brute force a password by using the front door.
--
When will the people realize that with DRM they aren't purchasing anything? |
|
IanPremium
join:2002-06-18
ON Reviews:
·Rogers Hi-Speed
| said by Kilroy:said by Ian:No. Most brute-force attacks occur off-line on the password hashes, not some automated way of "typing in" a user password from the client side. Again, if this is the case the problem is that the server has been compromised and your password is the least of your worries and has nothing to do with password length, strength, or change frequency. Password length, strength, and change frequency are all factors in how long it takes to brute force a password by using the front door. We're quite possibly saying the same thing in different ways.
But if the server is compromised, it depends on to what extent and how as to how dangerous that is. A rogue admin may have access to the directory that contains the password hashfile , but not necessarily the salt and/or hash scheme used to generate it.
If it's your home PC and you're running windows. So long as someone can boot to a USB key, CD or DVD, and your drive is not encrypted, they can overwrite your admin password and then boot Windows, eliminating the need for any sort of brute force attack.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5
·RoadRunner Cable
 ·Clearwire Wireless
| reply to anon dummy
said by anon dummy :??
I can understand why websites that do not use SSL (HTTPS) require changing the password to my account every so often,
That's something that shouldn't happen from a security POV.
All the arguments about an SSL site apply but there's an additional danger when talking about an non-SSL site.
Experience shows that many people use a pool of passwords rather than using unique passwords.
So a user using a pool of 6 different passwords will give up their entire pool after 5 password changes.
I say this is worse for non-SSL sites because the security of non-SSL sites is generally weaker than say a banking sites security.
short story - a hacker, malicious web admin etc... could collect it's members password pools quite easily with constant password request changes (to be used elsewhere). |
|
