2

In the course of my computer working I daily use dozens of username/passphrase pairs. Within the limits of my understanding and restrictions I apply the best practices for security. Unfortunately I have limitations on my abilities to employ some measures. I am often using the Internet in high-risk situations, such as on a public computer, or some other device not under my control, and using open public WiFi networks.

Some of the measures I employ are:

  • Never use the same passphrase for two purposes
  • Never reuse a passphrase, or minor modifications of prior passphrases
  • Personal minimum of 14 characters, unless the environment restricts it to less
  • Limit characters to 7-bit ASCII printable (guaranteed to be typeable anywhere)
  • Include all four complexity groups (upper/lower alpha, numeric, punctuation/special)
  • Don't use words, even converted with character substitutions, i.e.: password as p4s5w0rd
  • Passphrases have no reference to the username or their purpose
  • Security questions, or reset questions, have fake answers (treated like a second passphrase)
  • Don't use any information which relates to me, my life, or my past, as material for passphrases
  • PGP keys are created, or renewed, on an air-gaped box, and the primary private key never leaves there
  • Exported PGP keys have their passphrase changed before exporting
  • PGP keys have a short life, expiry dates typically in a six month window
  • Most importantly, nothing I create, including hints, is written/saved anywhere except in my cranium
  • System generated recovery phrases (such as for crypto wallets) are saved in encrypted storage only

Some of my limitations are:

  • Unreliable access to SMS
  • Lack of ability to install authenticator apps
  • Inability to rely on password keepers

My limitations, and exposures, are non-negotiable. I'm well aware of the arguments for (and against) password keepers, 2FA, physical keys, etc., and they are not germane here as they simply are not available as a solution for me.

I am also aware of the argument against a policy of password rotation forced on users by the system, or management. The chief point being that employee John Q. Public might pick a good passphrase originally, but then change it each time it is required by adding on a rotating, or incrementing, part. Thus, SuperDuperSecret becomes SuperDuperSecret2018, SuperDuperSecret2019, SuperDuperSecret2020 ..., or MyGoodPhrase becomes the rotating set of MyGoodPhraseMar, MyGoodPhraseJun, MyGoodPhraseSep, MyGoodPhraseDec. In my case the argument is spurious as it is not a policy I'm required to follow, but one I'm choosing to apply; and the simple modifications that it commonly triggers in users does not applied in my case, as I know, and want, better.

The question I am asking is not What measures can I employ for security? The question is should I continue to do password rotation at all, and how often should I rotate my passwords? The how often presumes medium sensitivity with reduced frequency for low-risk or lower sensitivity (account on PcPartsPicker, for example), and increased frequency for high-risk or highly sensitive accounts (my bank account, for example). A suspected compromise, of course, has a frequency of now, as soon as the breach is reported, or suspected.

This is not a trivial concern either, as the last time I did a reset across the board, online and local passphrases, it was a three-day long event.

This also could affect how I apply requirements on passwords for users on systems and sites I maintain, and client access to services.

  • 1
    See also [How often should passwords change?](https://security.stackexchange.com/questions/34985/how-often-should-passwords-change) and [How does changing your password every 90 days increase security?](https://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security) – Sjoerd Nov 20 '19 at 11:32
  • If you realise that you are not needing us to provide a number (and we can't), but rather a process to come up with a number, then your answer might emerge by itself: "you change them when you need to and in a way that's convenient". When do you need to? When you know/suspect the password is compromised, or when it has existed for long enough that someone with the hash could have broken it, modified by the other mitigations that prevent such threats. – schroeder Nov 20 '19 at 11:35

2 Answers2

2

Quick answer: You shouldn't bother rotating a password unless stolen.

These days even the NIST has dropped its recommendation about password rotation. In short, the biggest danger for passwords is reuse. If you are exclusively using strong unique passwords then you have no reason to change it unless you know (or suspect) it has been compromised.

Conor Mancone
  • 30,380
  • 13
  • 92
  • 98
  • 1
    Hmm... turns out my long answer was barely longer than my short answer... that's not usually the way it goes for me. – Conor Mancone Nov 20 '19 at 12:08
  • 1
    I disagree regarding situation. Nist recommandations are a guideline for usual use. The decision to abandon passwords change is to prevent people to weaken their passwords to remember them (and allow bruteforce). In this case (OP seems to have some good rules about passwords) rotation is a plus: If for X reason passwords leaks, you'r still protected within a certain amount of time. – MrHeliose Nov 20 '19 at 13:23
-1

There are no rules about how often you should change passwords. Your password rotation should depend about 2 parameters:

  • Exposure to risk

  • Severity

It's exactly the same scheme as a Risk Matrix. For each of your passwords on each website, define a risk score, after that just think about how long a password can exist depending on the risk score.

I am often using the Internet in high-risk situations, such as on a public computer, or some other device not under my control, and using open public WiFi networks.

Avoid using public computers if possible or change the password just after using it. If you cannot certify the hardware integrity, you can consider yourself doomed.

schroeder
  • 125,553
  • 55
  • 289
  • 326
MrHeliose
  • 77
  • 9
  • I can't certify the hardware integrity on my own computer since it was built from components in china (and assembled there to!). In fact, I'm not even sure how I would go about certifying my hardware integrity... I guess I should just stop using the internet... – Conor Mancone Nov 20 '19 at 12:03
  • To be clear, the first part of your answer is very reasonable. It's just the "Public computers == doom" part that I object to. While using someone else's computer can be dangerous, the reality is that it is very unlikely that someone has gone around and installed keyloggers on every computer at the local library.... – Conor Mancone Nov 20 '19 at 12:10
  • well... there is a huge difference between your computer and a public one where everybody can add a physical keylogger or any other crap. Yes there is a bit of faith when you buy a computer, you trust the company that sell it, but between a company and everybody in this world there is a huge difference. – MrHeliose Nov 20 '19 at 12:38
  • Indeed there is! China has been accused of installing malicious firmware in computers they build, while no one has been accused of installing keyloggers at my local library. Clearly I'm better off using the computers at my library... – Conor Mancone Nov 20 '19 at 13:10
  • No one has been accused that mean it's 100% safe? Thanks for the advice, I will accept everybody in the street to use my PC now, no one has ever try to steal it from me! One other main difference between china logging a population and a local library hacker is the intention: China want to know what your doing, the library hacker want to steal anything he can. the SEVERITY here change a lot. – MrHeliose Nov 20 '19 at 13:22
  • Which is exactly what I'm trying to get at - I'm not seriously suggesting that a library computer is safer than my personal machine. Security decisions are about risk analysis, cost/benefit analysis, and threat mitigation. As a result, broad statements like "If you cannot certify the hardware integrity you are doomed" are plain old FUD, and can mislead and scare people for no good reason. At that extreme my point still stands: you can't certify your own hardware integrity because supply chain attacks can happen. – Conor Mancone Nov 20 '19 at 13:44
  • Did you check the firmware of all your computer components when you first purchased your machine? If not, then you have not certified your own hardware integrity, and by your own admission you are quite doomed. Either that or your last sentence there was a bit over-the-top, and you might be better off removing it. – Conor Mancone Nov 20 '19 at 13:45
  • You might have missunderstand my point. I just point the fact that using a public computer is a huge unknow factor. Thinking that you'r safe after that kind of move is a bad idea. By hardware integrity you can easily understand that I speak about a relative knowledge about your hardware. I'm not a native english speaker, maybe the word "integrity" doesn't have the exact meaning I presume. – MrHeliose Nov 20 '19 at 13:53
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/101273/discussion-between-mrheliose-and-conor-mancone). – MrHeliose Nov 20 '19 at 14:00