0

Possible Duplicate:
How does changing your password every 90 days increase security?

Some sites require users to change their password every x days. For example, at least 3 online banking system requires me to do that. Does this mean the admins assume the password could be hacked within the x-day period?

Isn't regularly changing passwords riskier than having one permanent strong password? For example, if you change your password regularly then it means there is a higher chance you will forget it and now you have to store it somewhere (aside from your mind, like a physical paper hidden "under your pillow" or a secret folder in your computer) therefore it increases the possibility of password leakage. Well as if you have just one really strong password hidden in your mind, it can't be leaked.

For simplicity, this question is assuming an average user doesn't know or want to use password storage apps like Keepass since it has its own drawbacks like password portability/computer crash/etc.

Community
  • 1
IMB
  • 2,908
  • 6
  • 28
  • 42

1 Answers1

0

While I see your point, having a compulsion to change your password at regular intervals of timing is a good and mandatory method for security within most banking applications. Allow me to explain why.

The main reason people get hacked online is because of vulnerabilities where their password is either phished from them, key logged or too easy to brute force. This also includes conditions wherein due to the manner in which the user accessing the system, other individual(s) are aware of his log on credentials.

In all such cases, changing your password helps a lot. Logs generated by key loggers are enormous. If a mass key logger has affected someone, hackers generally take time to process those logs. Changing your password regularly has a fair chance of ensuring that by the time the hacker attempts to log in with your credentials, the password has changed.

Also, most applications set out alerts when a password is changed. As a result, if a hacker does get control of your account, he could only access it without your knowledge so long as as the password remains constant.

Of course, this is not the best method of delivering security. I personally believe that 2 Factor Authentication is a more safer and user convenient method then prompting the user to change his password which can lead to him forgetting it or storing it insecurely.

Rohan Durve
  • 2,321
  • 16
  • 19
  • So, this practice is helpful only in cases when the attacker is already in control of 1 user's account, but not in control of the whole system. In such cases the damage is probably already probably done to the user (and the user has probably noticed that damage). Changing password actually helps against "slow hackers" only. – Babken Vardanyan Jun 22 '14 at 20:06