#1 Study: Frequent password changes are useless04-15-2010, 12:01 PMStudy: Frequent password changes are useless
Tue Apr 13, 2:16 pm ET
Users hate them. They're a massive headache to network administrators. But IT departments often mandate them nonetheless: regularly scheduled password changes — part of a policy intended to increase computer security.
Now new research proves what you've probably suspected ever since your first pop-up announcing that your password has expired and you need to create a new one. This presumed security measure is little more than a big waste of time, the Boston Globe reports.
Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.
On the bright side, changing your password isn't harmful, either, unless you use overly short or obvious passwords or you're sloppy about how you remember them. (Many users forced to change their password too frequently resort to writing them on sticky notes attached to their monitor, about the worst possible computer security behavior you can undertake.)
Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher's very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes' averted losses, but few would estimate it's anywhere approaching $16 billion a year.
04-15-2010, 01:34 PM
- Join Date
- Apr 2004
- The Swamps of N. Florida
04-15-2010, 01:51 PM
04-15-2010, 05:09 PM
The IT industry has known this truth for quite some time now. My company has to remain PCI (Payment Card Industry) compliant because we deal in credit card and bank data, and their requirements still make us rotate passwords frequently. They have a, "We've always done it this way.", mentality that no amount of evidence to the contrary will change. The simple fact of the matter is that rotating from a weak password, to a weak password, even frequently still only yields a weak password that is likely easily brute forced if that type of attack is used. The better solution is to enforce strong password policies with less frequent rotations."In England a king hath little more to do than to make war and give away places; which in plain terms, is to impoverish the nation and set it together by the ears. A pretty business indeed for a man to be allowed eight hundred thousand sterling a year for, and worshipped into the bargain! Of more worth is one honest man to society and in the sight of God, than all the crowned ruffians that ever lived."
—Thomas Paine, Common Sense
SonnabendGuest04-16-2010, 11:57 AM
That;s what we do, and frequently. I have a dozen or so I cycle through with some variations, and mine are so randomly chosen that even trying to guess it will take weeks
For example, one was based on a book I read, I took a character name,scrambled it, added numbers and then added a three letter random suffix, one capital, one lowercase and one number. :D
04-17-2010, 08:00 PM
Ok, I just couldn't resists this: :p :D
During a recent PASSWORD AUDIT at the Bank of Ireland it was found
that Paddy O'Toole was using the following password:
When Paddy was asked why he had such a long password: he replied
''Bejazus! are yez stupid? Shore Oi was told me password had
to be at least 8 characters long and include one capital''"If there are no dogs in Heaven, then when I die I want to go where they went." author Will Rogers
- Join Date
- May 2008
- In my own private Alamo on The Mountain in Georgia
04-23-2010, 02:24 PM
- Join Date
- Jun 2005
- Woodland Park, Colorado, United States
I've never understood this. Was some hacker geting close to cracking the code that even I can't remember? If he hasn't figured it out in the 180 days it took me to memorize it, isn't it a pretty good password? If I do change it from the un-hacked password that was apparently pretty good, don't I stand a good chance of choosing a less safe one?
IT guys must be liberals.:mad:Education without values, as useful as it is, seems rather to make man a more clever devil.
C. S. Lewis
Do not ever say that the desire to "do good" by force is a good motive. Neither power-lust nor stupidity are good motives. (Are you listening Barry)?:mad:
04-23-2010, 05:09 PM
Back in the day, passwords were usually capped at 8, or 16 characters for secure or strong systems. The reason for this was to save memory and processing power. Your password is stored on the computer, not in a plain text, readable way, but with a one-way cipher like an MD5, or a crypt. So if your password was 12345, that would go into a one-way cipher (digesting) function, and the output would be something like 'BFBABDBDBFEHH12' or whatever. However, starting with 'BFBABDBDBFEHH12' one could never get back to '12345'. When you logged in, the computer would take the password you provided, pass it into this digesting function, then compare the output of that function with the password it had on file for your account. These digesting functions take more memory and more processing power for each character in the password, which is why passwords were limited in size.
A dictionary, or brute force attack, when it was known that passwords would be less than or equal to 8 characters in length were much easier to pull off, given the relatively small amount of computational power the attacker had. Additionally, the attacker didn't have to guess your exact password, he could also hope for a collision, which is the case when his input, even if it's not 12345 still digests to 'BFBABDBDBFEHH12'. At that time, mandatory password rotations were beneficial.
Today we can use pretty much any character in the UTF-8 set in our passwords, as well very long lengths in our passwords. Brute force attackers also have enormous amounts of computation power to use in attempting dictionary attacks. Therefore strong password requirements are much more beneficial than a requirement to change passwords often.
Just don't try to argue that with old-school IT management. They'll look at you like you just asked them to try a cat meat sandwich."In England a king hath little more to do than to make war and give away places; which in plain terms, is to impoverish the nation and set it together by the ears. A pretty business indeed for a man to be allowed eight hundred thousand sterling a year for, and worshipped into the bargain! Of more worth is one honest man to society and in the sight of God, than all the crowned ruffians that ever lived."
—Thomas Paine, Common Sense
|« Previous Thread | Next Thread »|