Thread: Study: Frequent password changes are useless

Results 1 to 9 of 9

Hybrid View

  1. #1 Study: Frequent password changes are useless 
    Study: Frequent password changes are useless

    Tue Apr 13, 2:16 pm ET

    Users hate them. They're a massive headache to network administrators. But IT departments often mandate them nonetheless: regularly scheduled password changes — part of a policy intended to increase computer security.

    Now new research proves what you've probably suspected ever since your first pop-up announcing that your password has expired and you need to create a new one. This presumed security measure is little more than a big waste of time, the Boston Globe reports.

    Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.

    On the bright side, changing your password isn't harmful, either, unless you use overly short or obvious passwords or you're sloppy about how you remember them. (Many users forced to change their password too frequently resort to writing them on sticky notes attached to their monitor, about the worst possible computer security behavior you can undertake.)

    Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher's very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes' averted losses, but few would estimate it's anywhere approaching $16 billion a year.
    Interesting.

    Yahoo
    Reply With Quote  
     

  2. #2  
    Power CUer FlaGator's Avatar
    Join Date
    Apr 2004
    Location
    The Swamps of N. Florida
    Posts
    22,172
    Quote Originally Posted by Gingersnap View Post
    Interesting.

    Yahoo
    I just sent that to my boss and his boss. Not that it will change anything but it could give them something to discuss with the Info Security department.

    I believe in Christianity as I believe that the sun has risen: not only because I see it, but because by it I see everything else.
    C. S. Lewis
    Reply With Quote  
     

  3. #3  
    Quote Originally Posted by FlaGator View Post
    I just sent that to my boss and his boss. Not that it will change anything but it could give them something to discuss with the Info Security department.
    It makes a lot of sense although I have to say I never gave it any serious thought until today. Password theft or hacking is a "snapshot" type of crime. You could change your password at 10:00 a.m. and have it hacked at 10:03 a.m. By noon, whatever damage was going to be done would have already happened.
    Reply With Quote  
     

  4. #4  
    Senior Member malloc's Avatar
    Join Date
    Apr 2009
    Location
    Queen Creek, AZ
    Posts
    2,147
    The IT industry has known this truth for quite some time now. My company has to remain PCI (Payment Card Industry) compliant because we deal in credit card and bank data, and their requirements still make us rotate passwords frequently. They have a, "We've always done it this way.", mentality that no amount of evidence to the contrary will change. The simple fact of the matter is that rotating from a weak password, to a weak password, even frequently still only yields a weak password that is likely easily brute forced if that type of attack is used. The better solution is to enforce strong password policies with less frequent rotations.
    "In England a king hath little more to do than to make war and give away places; which in plain terms, is to impoverish the nation and set it together by the ears. A pretty business indeed for a man to be allowed eight hundred thousand sterling a year for, and worshipped into the bargain! Of more worth is one honest man to society and in the sight of God, than all the crowned ruffians that ever lived."
    —Thomas Paine, Common Sense
    Reply With Quote  
     

  5. #5  
    Resident Grump
    Join Date
    May 2005
    Posts
    7,767
    That;s what we do, and frequently. I have a dozen or so I cycle through with some variations, and mine are so randomly chosen that even trying to guess it will take weeks

    For example, one was based on a book I read, I took a character name,scrambled it, added numbers and then added a three letter random suffix, one capital, one lowercase and one number. :D
    Reply With Quote  
     

  6. #6  
    Member talleyJudy's Avatar
    Join Date
    May 2008
    Location
    River Falls, WI
    Posts
    35
    Ok, I just couldn't resists this: :p :D


    During a recent PASSWORD AUDIT at the Bank of Ireland it was found
    that Paddy O'Toole was using the following password:
    MickeyMinniePlutoHueyLouieDeweyDonaldGoofyDublin

    When Paddy was asked why he had such a long password: he replied
    ''Bejazus! are yez stupid? Shore Oi was told me password had
    to be at least 8 characters long and include one capital''
    "If there are no dogs in Heaven, then when I die I want to go where they went." author Will Rogers
    Reply With Quote  
     

  7. #7  
    Senior Member
    Join Date
    Jun 2005
    Location
    Woodland Park, Colorado, United States
    Posts
    8,563
    I've never understood this. Was some hacker geting close to cracking the code that even I can't remember? If he hasn't figured it out in the 180 days it took me to memorize it, isn't it a pretty good password? If I do change it from the un-hacked password that was apparently pretty good, don't I stand a good chance of choosing a less safe one?

    IT guys must be liberals.:mad:
    Education without values, as useful as it is, seems rather to make man a more clever devil.
    C. S. Lewis
    Do not ever say that the desire to "do good" by force is a good motive. Neither power-lust nor stupidity are good motives. (Are you listening Barry)?:mad:
    Ayn Rand
    Reply With Quote  
     

  8. #8  
    Senior Member malloc's Avatar
    Join Date
    Apr 2009
    Location
    Queen Creek, AZ
    Posts
    2,147
    Quote Originally Posted by AmPat View Post
    I've never understood this. Was some hacker geting close to cracking the code that even I can't remember? If he hasn't figured it out in the 180 days it took me to memorize it, isn't it a pretty good password? If I do change it from the un-hacked password that was apparently pretty good, don't I stand a good chance of choosing a less safe one?

    IT guys must be liberals.:mad:
    The main reason that passwords are still required to be rotated often has to do more with history, and IT management having an 'we always done it this way' mentality than actual utility.

    Back in the day, passwords were usually capped at 8, or 16 characters for secure or strong systems. The reason for this was to save memory and processing power. Your password is stored on the computer, not in a plain text, readable way, but with a one-way cipher like an MD5, or a crypt. So if your password was 12345, that would go into a one-way cipher (digesting) function, and the output would be something like 'BFBABDBDBFEHH12' or whatever. However, starting with 'BFBABDBDBFEHH12' one could never get back to '12345'. When you logged in, the computer would take the password you provided, pass it into this digesting function, then compare the output of that function with the password it had on file for your account. These digesting functions take more memory and more processing power for each character in the password, which is why passwords were limited in size.

    A dictionary, or brute force attack, when it was known that passwords would be less than or equal to 8 characters in length were much easier to pull off, given the relatively small amount of computational power the attacker had. Additionally, the attacker didn't have to guess your exact password, he could also hope for a collision, which is the case when his input, even if it's not 12345 still digests to 'BFBABDBDBFEHH12'. At that time, mandatory password rotations were beneficial.

    Today we can use pretty much any character in the UTF-8 set in our passwords, as well very long lengths in our passwords. Brute force attackers also have enormous amounts of computation power to use in attempting dictionary attacks. Therefore strong password requirements are much more beneficial than a requirement to change passwords often.

    Just don't try to argue that with old-school IT management. They'll look at you like you just asked them to try a cat meat sandwich.
    "In England a king hath little more to do than to make war and give away places; which in plain terms, is to impoverish the nation and set it together by the ears. A pretty business indeed for a man to be allowed eight hundred thousand sterling a year for, and worshipped into the bargain! Of more worth is one honest man to society and in the sight of God, than all the crowned ruffians that ever lived."
    —Thomas Paine, Common Sense
    Reply With Quote  
     

Bookmarks
Bookmarks
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •