General question about passwords

January 9, 2017 at 12:08:05
Specs: several
The user guide for my new HP notebook has the usual
suggestions for passwords, including the suggestion to
"Change your passwords at least every 3 months."

I am skeptical that there is *any* realistic situation in
which changing a password on a regular or semi-regular
basis has any value. Can you think of one?

-- Jeff, in Minneapolis


See More: General question about passwords

Report •

#1
January 9, 2017 at 14:27:09
It's all about Cyber Security. Where I work, we're forced to change passwords every 90 days. This includes our computer password, iPhone, & every single password protected program we use. Some of programs also require a randomly generated Secure ID code after the initial password is entered. A PIN is required to generate the ID code & if the code isn't entered within 60 seconds, a new code has to be generated.

Report •

#2
January 9, 2017 at 15:45:45
So, do you think changing the passwords like that does
anything helpful? If so, what? Would it be better if you
changed the passwords every week? Every day? Every
90 minutes? How is every 90 days a good choice?

-- Jeff, in Minneapolis


Report •

#3
January 9, 2017 at 18:32:31
If you have to enter a password on a website (over Internet) make sure the page is encrypted (HTTPS). otherwise you send a clear text, that any sniffer can display, over Internet.
FTP and TELNET are insecure protocols, never enter a password over Internet for these protocols

Make your password complex enough. No "dictionary" words or birthdays or any guessable combination, even if that is 20+ characters long. Use caps for some letters, add special characters (,./{}[]|\!@#$%^*()) and numbers.

If you suspect an attack, or are inform of one, change password(s).
There is no absolute security anymore. Even encrypted pages can be snooped on by government or malicious organizations if you have something they want from you!

Am I doing all that I listed above? NO! I'm not that paranoid yet...
My banking and company use 2 step authentication as RIIDER explained; a password that is changed every 90 days and if access over Internet; SMS or soft-generated pass-code.


Report •

Related Solutions

#4
January 29, 2017 at 06:47:30
Changing passwords is only one thing when it comes to cyber security. having a strong password can also help you. Passwords can be made strong when you use,
1) Uppercase and lowercase letters
2) Numbers
3) Special Characters ( @, $ / { \ = )
4) And a long pass i recommend 12 characters or above.

Creating a Strong Password - https://support.google.com/accounts...

How does changing your password every 90 days increase security? - http://security.stackexchange.com/q...

Remember changing passwords does help in some way.

Hope you find a solution to your question.
Happy to help
Lakshan Costa

message edited by Lakshancosta


Report •

#5
January 29, 2017 at 10:41:10
Lakshan,

Did you read the stackexchange page you linked to?
I'll estimate that it is about 40% in favor of changing passwords
regularly and 60% against. No consensus and no clear winning
argument.

My question, though, was whether there is any realistic situation
in which changing a password on a regular or semi-regular
basis has any value. The stackexchange thread also attempted
to answer that question. I don't understand it at all well, but I got
the following impression:

The only good reason to change passwords regularly appears
to be to reduce the chance of an "offline" "brute force" cracking
of password "hashes". The "hashes" apparently are stored in a
file on the server, not on the user's computer, IIUC. So all the
"hashes" for computing.net are in a file on computing.net's
server. If someone can somehow get a copy of this file, he
could try millions or billions of possible passwords for each
of the "hashes" it contains, and when a correct password is
found for an account, it could then be used to go online and
access that account. Changing the passwords at intervals
reduces the time available for the hacker to run through the
millions or billions of possible passwords.

If that understanding is correct, then the question is whether
such a scenario is realistic. How likely is it that a hacker will
get ahold of the file of password "hashes" and try enough
combinations on my "hash" to discover my password?

-- Jeff, in Minneapolis

message edited by Jeff Root


Report •

#6
January 29, 2017 at 15:52:42
I feel that a good password is secure enough for most personal machines and transactions.
For high security situations such as workers in financial institutions, companies working on government and military contracts, medical and medical billing, and similar circumstances really should require a change of passwords regularly.
For small companies that do not save credit card or social security information or anything similar, it probably is not necessary to change the passwords as long as they are strong ones and are not used for anything else.
My opinion.

You have to be a little bit crazy to keep you from going insane.


Report •

#7
January 29, 2017 at 22:02:42
That helps me understand. Thanks!

Why should an opinion help me understand?

That was just a rhetorical question! No need to answer!

-- Jeff, in Minneapolis


Report •

Ask Question