Photo (cc) by xmodulo
This post comes from Bob Sullivan at partner site Credit.com.
How often should you change your passwords? Sounds like it should be a pretty easy question, right? After all, it gets right to the heart of most security issues that people face. Turns out, it’s a really hard question to answer.
And that’s a problem, because as I spend more time giving talks about computer security with people in various settings, I have come to know that “How often?” is by far the most common question people have.
I might offer a stirring, funny, informative — OK, adequate — 45-minute discussion about the major security and privacy issues of our day. I might touch on Snowden, Target, retina scans, social engineering, social media, your mother’s maiden name, but it doesn’t matter. Inevitably, one of the first two or three questions is: “How often do you, or should I, change a password?”
Recently, I’ve thought a lot about better ways to answer that question. I have a few, and I want to hear your answers. But before I get to that, I thought I’d find some better people to answer the question. I did a quick, informal survey of the best in the information security business, and here’s what they said to me. You’ll find plenty of nuggets of wisdom here, and more than a few surprises.
Graham Cluley, independent computer security analyst, formerly of Sophos and McAfee
I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. I think requiring people to regularly change their password is a bad idea. It encourages poor password choices, (such as) … passwordjan, passwordfeb, etc.
Mikko Hypponen, chief research officer, F-Secure
For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never. As always, it’s about threat modeling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites, who cares?
James Lyne, global head of security research at Sophos, speaking specifically about corporate passwords
The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014, there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password “representations” require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.
There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory, ironically this can lead to staff producing poor passwords to meet the requirement, which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defense. Good luck to the cybercriminal going after a 128-character password stored as a (moderately poor) SHA1 hash.
Password managers help you generate long and complex passwords that will be hard to crack even if lost. That said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly). Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30-day rotation period.
Harri Hursti, independent security researcher, famous for the “Hursi Hack” of voting machines