1

I got a TrueCrypt container which is using a 64 character password. This password contains all the different kind of characters available to me (upper case, lower case, digits, special). It's taken me a long while to remember this password, so I would not want to change it to a completely new password.

What I am protecting is nothing too important, at least for any agency such as NSA. It contains my own private information that I don't want anyone to read. I am more worried about family/friends getting into this container as well as identity thefts.

Now it's time to change password. I been thinking about changing a few characters in this password. I wonder, what's the minimum amount of characters I should change to make it secure enough? Changing it to a completely new password is not an option for me.

Rinel
  • 59
  • 1
  • 3
  • 1
    Normally, I'd vote to close that as "opinion-based" but there is an opportunity for a good answer about the pros and cons of password expiration policies and general password usage – Stephane May 27 '15 at 14:36

1 Answers1

3

Why is now the time to change your password?

If your password has been compromised, then you really should create an entirely new one. Both character-level and semantic correlations between your old password and new password can reduce the attack space for a brute-force attack substantially. As others have pointed out, susceptibility to a brute force attack is really the only technical criteria you need to worry about when choosing passwords (of course, memorizability is another practical consideration).

If only part of your password has been compromised, and you're not storing any mission-critical information, then perhaps you can tolerate changing only a few characters, but you certainly are still more susceptible to a brute force attack.

If you're just performing some "spring cleaning" and want to refresh your password, think about whether the change is really necessary. If you think you're susceptible to a brute force attack, then you should change your password, but you'll probably need to change it pretty substantially to fix the flaw. Most brute force attack work by first targeting common passwords, and then modifying those common words with alterations (adding "!" to the end, substituting "@" for "a", etc...). Otherwise, if your password is otherwise secure and you've invested the time to memorize it, I don't see any reason to change it. That said, randomly changing a few characters of an otherwise-secure password shouldn't hurt you much, either.

Community
  • 1
James Evans
  • 546
  • 5
  • 4