Do (uncompromised) passwords ever need changing, if I use a password manager?

Question

For instance, my Google account has a 32-character, random character password that I maintain with LastPass.

I regularly flash new ROMs on my phone or otherwise need to be able to manually type in my password. Not a big deal, but that password hasn't changed for quite some time now. I haven't memorized it, but that password is beginning to feel… familiar. And of course, the only secure password is the one you can't remember.

I'm wondering if this password, or any other passwords that have been in my LastPast vault, need occasional changing, even if the passwords have not been compromised. Something along the lines of the corporate "change-your-password-every-90-days" thing.

The best hackers comprise the target without them knowing, and maybe they find out years later. — cybernard, Jul 29 '16 at 19:03
If you're of the mindset that you're being targeted by a determined attacker at all times (which isn't necessarily a bad mindset to have), you can assume that someone's trying to brute-force your credentials constantly. Rotating your passwords serves as a strong defense in this kind of situation. — Jules, Jul 29 '16 at 19:05
While your password is 100% safe against brute-forcing for the next century, are you 100% sure that your computer cannot be attacked? You know, if they somehow manage to put a keylogger on your computer it doesn't matter whether it is 32 characters or 1024... they will find it. Changing password every 90 days and frequently check for malware on your computer helps you prevent that they can use it for too long. — Bakuriu, Jul 29 '16 at 19:51

score 12 · Accepted Answer · edited May 02 '17 at 18:53

12

Do you know that they are uncompromised? If you are absolutely sure, then there is no real need to change. Obviously if they are compromised, then go ahead and change. If you do not know, then it becomes more interesting.

That is the main purpose of changing your passwords, just in case they are compromised and that you are not yet aware of it. So the whole 90 day password change policy is usually a risk based compromise between how likely is your password compromised, and how annoying is it to change and re-remember (or in the case of a password manager, update and start using).

edited May 02 '17 at 18:53

user2428118

2,788
16
23

answered Jul 29 '16 at 15:35

Colin Cassidy

1,880
11
19

2

*"then it becomes more interesting"* :-) – 700 Software Jul 29 '16 at 16:12
1

If they're compromised and you don't know it, then one of two things has happened: either your own computer or work environment is compromised, in which case your pw manager's master password is compromised and any new password you set will also be instantly compromised, or the site on which the password is used is compromised, in which case using a different password does not change the fact that the site is compromised. – R.. GitHub STOP HELPING ICE Jul 29 '16 at 21:58
"is usually a risk based compromise between how likely is your password compromised and how annoying is it to change". Not really. 90 days is frequent enough that if you're not using the password daily, you're unlikely to remember it at all. (And that the user is logging in that often is not a safe assumption in the slightest.) This causes people to *write down* their passwords, more often on a PostIt note stuck to their screen than in a password manager. So it's not a compromise; it's a knee-jerk reaction from people who don't understand how problematic it actually is. – jpmc26 Jul 29 '16 at 23:30
From a corporate perspective, changing passwords protects the company from poorly managed backup media as well. Say the company backs up a server with a password database, keeps it for a year, then throws it in the trash (this is a bad process to have in place, but not inconceivable). A dumpster diving attacker would then have everyone's password (or hash) from last year. If everyone changes their password more frequently then this, viola! Those passwords are useless. – Owen Aug 04 '16 at 19:09
@R.., there is a third possibility (beyond work env compromise or site compromise). There could be an OLD site compromise (like the massive LinkedIn or MySpace breach) where the database is for sale but your credentials have not yet been exploited. The site may even have fixed the problem that led to the breach in the first place since the breach occurred. In that case, changing your password every several months to a year could prevent any damage to you. From the age of many of the recent mega-breaches coming to light the past few months, I'd say that scenario is actually quite likely. – Ben Aug 05 '16 at 16:15
@jpmc26, I agree that *mandated* password resets can cause problems, but *voluntary* password resets every so often, by people who take care to follow good password practices, will at worst be wasted effort and at best has potential to prevent harm in the case of undiscovered breaches. – Ben Aug 05 '16 at 16:17

score 3 · Answer 2 · edited Mar 17 '17 at 13:14

Of course similar to the question How does changing your password every 90 days increase security?

For my answer to that question go here.

To answer your question, reasons to change your password regularly would include:

If the entropy of your password allows it to be cracked since you last changed it as the attacker could have obtained a hash of your password unbeknownst to you. For a rough guide to cracking times, see here. For the average, divide the result by two. e.g. a password with 65 bits of entropy would take 1.7 years to crack on average. Of course remember that an attacker with enough time and resources to do this might be rare unless they are specifically interested in your account of which is very valuable to them, or that the passwords were stored unsalted.
If the password might have been accidentally leaked by you at any point (e.g. typing it into your computer with the cursor focused on another window).
Somebody may be monitoring your keypresses and have enough information to statistically determine your password (e.g. via a camera, the sounds that your keyboard makes, or by somehow determining wear and tear on your keyboard). Of course, these do not apply to passwords that are autofilled and never types.
If an attacker could have viewed your screen if your password was briefly displayed, allowing them to reduce the effective entropy as they would know any remembered characters at their positions.
The website has recently increased their bcrypt iterations or password algorithm and it requires a password change in order to update it in their database.

score 1 · Answer 3 · answered Aug 04 '16 at 18:01

The main reason to change passwords periodically is that all passwords are eventually revealed, either by brute force attack, theft, accident or deliberate disclosure. Once revealed, all past and future uses of the password are compromised.

Suppose you have a password that will take 1000 years to crack. The bad guys deploy 1000 computers for a year and crack your password. They now have access to everything you ever have encrypted or will encrypt. If you change your password once a year, they have access only to 1 years worth.

Do (uncompromised) passwords ever need changing, if I use a password manager?

3 Answers3