Changing your password regularly is a terrible idea, and here's why

[steven36]

Forcing users to think up new passwords too often could make you less secure, not more.

 

 

Forcing users to change passwords will make security weaker, not stronger.

 

Making users change their passwords frequently could actually make systems less secure, the UK's information security agency has warned.

 

Most administrators force users to change their password at regular intervals -- every 30, 60, or 90 days, for example. But this carries no real benefits as stolen passwords are generally exploited immediately, said CESG, the IT security arm of surveillance agency GCHQ.

 

In a post explaining the thinking behind its recommendation that organisations should stop forcing users to frequently change their passwords, CESG said that we are all suffering from password overload: most password policies force us to use passwords that we find hard to remember, that are as long as possible, and as 'random' as possible.

 

"And while we can manage this for a handful of passwords, we can't do this for the dozens of passwords we now use in our online lives," it said.

 

If users are forced to change passwords they will mostly choose something that is a slight variation on the original one, or one that they have used elsewhere, or a weaker one. These behaviours can be exploited, CESG said: attackers can often work out the new password, if they have the old one.

 

Regularly changed passwords are more likely to be written down (another vulnerability) or forgotten, which means lost productivity for users and a pain for the help desk that has to reset it.

 

"It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn't, it turns out, stand up to a rigorous, whole-system analysis." CESG said.

 

Not forcing regular password expiry reduces the vulnerabilities associated with regularly expiring passwords while doing little to increase the risk of long-term password exploitation, CESG added.

 

According to CESG, the use of compromised passwords is better combated by monitoring logins to detect unusual use and notifying users with details of logins, so that they can report any for which they were not responsible.

 

CESG is not alone in calling for the end of expiring passwords. Lorrie Cranor, chief technologist at the Federal Trade Commission, made a similar point recently when she said: "Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely."

 

The Source

 

[luisam]

Absolutely correct. Passwords imposed by banks are each time more impossible to remember so my only resource is to keep them saved in a notebook. I pretended to keep it in a sefe place but lately I "discover" it more and more frequently on my desk. Actually one ot my banks use 3 different passwords and codes, including "coordenates" code, which change for each operation and you must use a card provided by the bank and operations finally must be confirmed by a code sent to my cellphone!

Some time ago I was in Panama and I couldn't confirm a transference to an account not yet registered because the code was supposed to be sent to my local  cellphone.

I have 4 ATM cards, each one with a 6 digit code to be used on a point-of-sale terminal and two of those banks impose me to change them after 90 days!

[Kalju]

Hundred % agree, that it is absolutely idiotic requirement.
But the human mind cannot do nothing against nature .... 

[CODYQX4]

.

[Pequi]

19 hours ago, CODYQX4 said:

More annoyingly, when none of the questions apply. Gee, Apple, you sure seem to assume everyone is married and has traveled a lot based off your security questions. Same goes for the banks.

An old anti hacker trick:

 

Your pet's name ?

A big red building

In which city were you married ?

A fat elephant

Your favorite color ?

Tramstation

 

It helps, a bit. Specially if the hacker has access to your personal data or knows you personally.

Hard bit is remembering my answers. I write them down on paper. Without the questions.

;)

[luisam]

1 hour ago, Pequi said:

An old anti hacker trick:

 

 

Might not be the best idea to use weird answers to security questions. You might find funny your answer but it's too easy to forget. but you could associate the answers with some other familiar concepts like:

Your pet's name: Obama

City were you married: Atlantis

Your favorite color: Money

etc..

Now, the main problem is that in about 99,9% of the cases when your bank accout is blocked, it's because you don't remember that fancy code you invented and you know you wrot it aomewhere but can't remember whare and then you find a page with 10 codes chenged recently of your ATM cards, credit cards, acconts,  etc and you simply don't know which one is that of your current bank account.. So you try to recover and don't remember the correct answer to some stupid security question

[Fallon]

On 4/18/2016 at 5:05 PM, steven36 said:

the use of compromised passwords is better combated by monitoring logins to detect unusual use and notifying users with details of logins, so that they can report any for which they were not responsible.

- I think such reporting is annoying as well. Time is precious.
- Whatever security question comes up, my answer is always the same word.
- If I want to act more safe, I take a combination of this word and one of three city names.
- for passwords that have to change regularly, a password manager like KeePass can be a choice too.

 

[vibranium]

What I hate are the systems that force 2FA, 3FA ad nauseum. The savvy user cannot override these ridiculous settings.

[Pequi]

On segunda-feira, 2 de maio de 2016 at 2:04 AM, vibranium said:

What I hate are the systems that force 2FA, 3FA ad nauseum.

Same here. I had to give my phone number to my local email provider "for my safety", and now I get flooded with spam calls. So many that I only answer the phone if I know the number calling. Ironically, a month after I gave them my number, the free service became payware, and I closed the account.

[flash48]

For passwords that change on a regular basis I always use password_YYMM  where YY is the year and MM is the month.  So far I have yet to call the Help Desk to reset any of my 2 dozen passwords.  Security Managers are all paranoid.  I think being paranoid  is a job requirement.

[DKT27]

On 2/5/2016 at 10:34 AM, vibranium said:

What I hate are the systems that force 2FA, 3FA ad nauseum. The savvy user cannot override these ridiculous settings.

 

8 hours ago, Pequi said:

Same here. I had to give my phone number to my local email provider "for my safety", and now I get flooded with spam calls. So many that I only answer the phone if I know the number calling. Ironically, a month after I gave them my number, the free service became payware, and I closed the account.

 

I got locked out of my Google account for a few days or more. Why, because for some reason they were not sending me codes via SMS. They did not even send me codes to the backup phones that is 3-4 of them. All these phones could receive SMS just fine, but somehow Google's SMS never reached them. While I did forget to install the autenticator app, the build-in codes from the Google Settings app did not work either. It might be mentioned that when I had enabled it in my Google account, I do not remember them offering me any backup codes, or maybe they did offer but I did not save them on the computer. Sure, that could have been a mistake from my side. But not receiving any codes, who's mistake is it.

 

Filed a form they offer to get the account back. They asked when I made my account, how can I remember dates that was made like 10 years ago or more. Whatever it is, I gave all the answers as correct as possible. They rejected my request.

 

Thinking that I have lost my Google account, I gave up. Couple of days later, I tried for the SMS code again, suddenly, the phone got the SMS. It was Google code.

 

I did not do any changes from my side. It was a problem from Google's side. I wrote them a long feedback letter where the only thing I was left to write was abuses in it.

 

Either, this is a nice example for everyone. I also hope it helps anyone who might be having this problem I think.

[Rastus_BoJangles_Johnson]

 

On 5/3/2016 at 8:57 AM, Pequi said:

Same here. I had to give my phone number to my local email provider "for my safety", and now I get flooded with spam calls. So many that I only answer the phone if I know the number calling. Ironically, a month after I gave them my number, the free service became payware, and I closed the account.

This is pure BS. I have abandoned several accounts for this very reason. They say something looks different about your login attempt, and for MY safety please provide phone#.