3

A WWW-site guided me to change the password regularly. Should I believe what the say, if my current password is long enough random string?

novice
  • 33
  • 1
  • 1
  • 3

3 Answers3

4

Regular password changes are notionally a good idea because they guarantee someone can’t acquire your password and use it to snoop on you over an extended period of time. However, regularly changing your password won’t help much .

If an attacker gains access to your accounts, they’ll most likely use their access to cause damage right away. If they gain access to your online banking account, they’ll log in and attempt to transfer money out rather than sit and wait. If they gain access to an online shopping account, they’ll log in and attempt to order products with your saved credit card information. If they gain access to your email, they’ll likely use it for spam and phishing, or attempt to reset passwords on other sites with it. if they gain access to your Facebook account, they’ll probably attempt to spam or defraud your friends immediately.

Typical attackers won’t hold onto your passwords for an extended period of time and snoop on you. That’s not profitable — and attackers are just after profit. You’ll notice if someone gains access to your accounts.

Password changes in response to specific events are a good thing, of course. It’s a good idea to change your passwords on websites that were vulnerable to Heartbleed but have now patched it. Changing your password after a website has its passwords database stolen is also a good idea.

http://www.howtogeek.com/187645/htg-explains-should-you-regularly-change-your-passwords/

3

If an attacker could gain access to the encrypted passwords, it would take her some time to bruteforce them (at least theorically). Forcing users to change regularilly their passwords was meant to make that task futile. If it was estimated to take, let's say, 40 days to bruteforce a 8 character password, making your users change it every 30 days would render the bruteforced password useless. Or at least that is what people thought some years ago.

Now, let's come back to the real world: it is not only that bruteforcing password is pretty much useless per-se, as most passwords are not random, but word-based, so a dictionary attack is much more efficient; password-cracking software and hardware growing exponentially (like GPU-based software), so the minimum length and complexity you should require to your users would be growing each year, thus making the "lost my password" usage grow each year; but forcing people to change their passwords every so little time make them use time-based or sequence-based passwords, like mypassword-aug2014 or mypassword-7th-change, so the purpose behind the change is completely reversed, as anybody would guess the next password in those cases even if a year has passed.

If possible, use two-factor authentication.

NuTTyX
  • 693
  • 4
  • 9
  • Yes, we must always remember the real world scenario. Also, if we force users to change their passwords too often, they'll end up writing their passwords somewhere, which is a tremendous security risk – Mateus Viccari Mar 09 '20 at 19:00
2

Changing your password is more of a precautionary feature than actual security. Theoretically, almost any password can be cracked; thus, even if your password is 'aod1937:#;/jwi6;(@6sk', it could be cracked. If someone has cracked it, they have access to what it's protecting. Changing your password ends their access: thus by changing it regularly you limit the time attackers have to do damage.

ArtOfCode
  • 572
  • 3
  • 14