Ornery.org
  Front Page   |   About Ornery.org   |   World Watch   |   Guest Essays   |   Contact Us

The Ornery American Forum Post New Topic  Post A Reply
my profile login | register | search | faq | forum home

  next oldest topic   next newest topic
» The Ornery American Forum » General Comments » Why do we change passwords every 6 months?

 - UBBFriend: Email this page to someone!    
Author Topic: Why do we change passwords every 6 months?
philnotfil
Member
Member # 1881

 - posted      Profile for philnotfil     Send New Private Message       Edit/Delete Post   Reply With Quote 
So I go that email again, my password for work is going to expire in 14 days.

I understand the hardcore rules on building a password, they make it harder to guess or crack, but why the 6 month limit on the use of a password? Do the bad guys have a secret deal set up where they will wait to use a stolen password for 6 months? Is 6 months how long it takes for the password to get from the hands of the person who stole it to the hands of the person who is going to use it?

Posts: 3719 | Registered: Jul 2004  |  IP: Logged | Report this post to a Moderator
Pyrtolin
Member
Member # 2638

 - posted      Profile for Pyrtolin   Email Pyrtolin   Send New Private Message       Edit/Delete Post   Reply With Quote 
It's a rough metric for how long it might take for various direct hacking or social engineering methods to turn up your password.

An 8 letter password that uses uppercase, lowercase, and numbers can be broken in less than a year, so changing it every six months means that anyone who's managed to get he password file and is trying to decrypt it directly has to start over again in less time.

http://howsecureismypassword.net/

Gives a good estimate for how long it would take to hack any give password that you give it. (Fully java based- the computation runs locally and doesn't submit anything) But that's the outside maximum- it's fully possible that they'd happen to bump into it sooner.

But really (as a professional aside), pass"word" gives a poor indication of where good security lies- people should think in terms of pass"phrase". A short sentence, with a few non-obvious misspellings or other variations makes for much better security. Especially, for those with poor memory, if it's something that you can write down and hide in plain sight.

Axde#@$sa
Looks like a password

I love my puppy, she's 4 years old!
Isn't as obvious

The third sentence on page 52 of a book that you keep by your desk is even more obscure. Etc...

Posts: 11997 | Registered: Oct 2005  |  IP: Logged | Report this post to a Moderator
Clark
Member
Member # 2727

 - posted      Profile for Clark   Email Clark   Send New Private Message       Edit/Delete Post   Reply With Quote 
I can only assume this was prompted by the latest xkcd comic?

Most passwords don't expire regularly. I've had the same password for ornery since I signed up. Same goes for email and pretty much everything else on the internet. The only system I deal with that does make me change my password is work. Password security threats at work are either internal, or external. Personally, I suspect that internal password theft is a bigger problem for most companies. When I log into our computer system, I have access to certain things that others don't have access to. So, if there is something that an employee wants to mess up, or something they want to cover their tracks on, better to do it with my password than theirs. They will have the access, and the system will log that I made the changes. If someone were planning this sort of thing, it would be reasonable to steal the password and then sit on it for weeks or months waiting for "the right time" to do whatever you want to do.

Externally, I suppose someone from our competition might be trying to get into the computer system, but really, it would be easier, cheaper and faster to go find a disgruntled former employee, buy him a beer and start asking questions.

I don't think that forcing people to change passwords increases security much anyway. The majority of people I know just change it from "ilovebunnies1" to "ilovebunnies2".

My biggest concern is exactly what xkcd points out. Everyone has a passwords for a zillion different websites. Reusing the same one over and over again isn't very secure, but how am I supposed to have unique passwords for every stinkin' service? Does anyone have a handy system for managing passwords? (Feel free to include a list of websites with your login and password as an example of the efficacy of your system.)

Posts: 420 | Registered: Jan 2006  |  IP: Logged | Report this post to a Moderator
Rallan
Member
Member # 1936

 - posted      Profile for Rallan   Email Rallan   Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by philnotfil:
So I go that email again, my password for work is going to expire in 14 days.

I understand the hardcore rules on building a password, they make it harder to guess or crack, but why the 6 month limit on the use of a password? Do the bad guys have a secret deal set up where they will wait to use a stolen password for 6 months? Is 6 months how long it takes for the password to get from the hands of the person who stole it to the hands of the person who is going to use it?

Because people write their passwords down, or use the same password for everything, or use passwords that are the names of familiar places or friends or whatever that are easy for people who know them to guess. These are people who are just begging to have their passwords figured out, so making everyone in the company change their passwords every six months helps strengthen the weakest link in the security chain.
Posts: 2570 | Registered: Jul 2004  |  IP: Logged | Report this post to a Moderator
Pyrtolin
Member
Member # 2638

 - posted      Profile for Pyrtolin   Email Pyrtolin   Send New Private Message       Edit/Delete Post   Reply With Quote 
A problem creeps up from the other end, though- if you have people change their password too often, they're more likely to forget them or write them down. Same goes for imposing too many rules (or bizarre ones- It really bugs me that my bank password is one of my least secure because it limits the length and bot type and number of characters that can be used)

But, again- that's why a phrase is good- especially a punctuated one, since that gives a long (the most important security factor for a password) easy to remember code that more naturally includes special characters (spaces, punctuations) and only requires a little bit of dressing to really lock it down.

Posts: 11997 | Registered: Oct 2005  |  IP: Logged | Report this post to a Moderator
philnotfil
Member
Member # 1881

 - posted      Profile for philnotfil     Send New Private Message       Edit/Delete Post   Reply With Quote 
For passwords that I don't have to change regularly (everything but work and school) I use a set combination of certain characters from the name of the website and certain numbers that are meaningful to me. It ends up looking like a blob of letters and numbers, but is easy to remember when I'm staring at the login screen.

One of the annoying factors is that they make us use secure passwords (upper case, lower case, number, wildcard, no dictionary words, no names, no repetition from previous passwords, at least 8 characters), and then make us change them so frequently. They have already taken care of the weakest link (poor password selection), but now they are contributing to the second weakest link (writing down passwords).

Anyone have input on why six months is the set time?

Posts: 3719 | Registered: Jul 2004  |  IP: Logged | Report this post to a Moderator
G2
unregistered


 - posted            Edit/Delete Post   Reply With Quote 
quote:
Originally posted by philnotfil:
Anyone have input on why six months is the set time?

It's essentially a judgement call designed to limit exposure to a compromised id and password and an 8 character one takes just a little longer than 6 months to crack on average.

Six months is awfully long, most IT security analysts I work with expire passwords at 3 months with the previous 4-6 passwords used not repeatable.

Use a mnemoic of some kind to avoid writing it down. A good one is pick a favorite or popular song and sing the chorus of it or the first 8+ words and the first letter of each word is your password. Very easy to remember and nicely randomized. You can use LEET substitution for the number (0 for o, 1 for i and 3 for e, etc) as well as for the wildcard (# for h, * for x and + for t, etc).

For example, Billy Joel's "Piano Man", everybody knows that song.

Sing us a song, you're the piano man
Sing us a song tonight

Cap the "S" beginning each line, "a" is 4 and "t" is +

That gives us a password: Su4sy+pmSu4s+

Damn good password (13 characters, takes about 39 billion years to crack!) and very easy to recall after you try it a couple of times. Just sing it as you login and all is good. Of course, your company's rules would allow you to get away with the first 8, still pretty good: Su4sy+pm (about 250 days to crack).

[ September 14, 2010, 01:05 PM: Message edited by: G2 ]

IP: Logged | Report this post to a Moderator
edgmatt
Member
Member # 6449

 - posted      Profile for edgmatt   Email edgmatt       Edit/Delete Post   Reply With Quote 
On the same subject...

I have two different passwords, and it's a huge pain in the @$$ to remember what each applies to.
According to that website linked earlier, both of them can be cracked in about 6 hours. I'm in the process of creating a new one.

Posts: 1439 | Registered: Apr 2009  |  IP: Logged | Report this post to a Moderator
The Drake
Member
Member # 2128

 - posted      Profile for The Drake   Email The Drake   Send New Private Message       Edit/Delete Post   Reply With Quote 
Actually, frequent password changes lower security rather than raising it. The reason is that users are more likely to write their passwords down - sometimes even on their whiteboard in the office. Meanwhile, when people are required to change the password, they will usually just change one letter or digit.
Posts: 7707 | Registered: Oct 2004  |  IP: Logged | Report this post to a Moderator
JWatts
Member
Member # 6523

 - posted      Profile for JWatts   Email JWatts   Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by The Drake:
Actually, frequent password changes lower security rather than raising it. The reason is that users are more likely to write their passwords down - sometimes even on their whiteboard in the office. Meanwhile, when people are required to change the password, they will usually just change one letter or digit.

When confronted with frequent password changes, people almost always end up either a) writing down passwords (and often taping it to the front of the monitor) or b) using a numeric end to a password and incrementing it.

G2, the type of password you described is what we use historically for the more secure passwords at my company.

I.E. SWe1tPM = Star Wars episode 1 the Phantom Menace

though usually it will be something a little longer to get it up above 10 characters.

Posts: 4700 | Registered: Oct 2009  |  IP: Logged | Report this post to a Moderator
edgmatt
Member
Member # 6449

 - posted      Profile for edgmatt   Email edgmatt       Edit/Delete Post   Reply With Quote 
I don't have use a computer at work, it's my home computer I'm worried about. Should I be worried?
Posts: 1439 | Registered: Apr 2009  |  IP: Logged | Report this post to a Moderator
TomDavidson
Member
Member # 99

 - posted      Profile for TomDavidson   Email TomDavidson   Send New Private Message       Edit/Delete Post   Reply With Quote 
As the senior developer and network administrator at my college, I am required to change my password every seven days. (This is a policy I find inconvenient, but also one that I wrote.) I do this by cycling through the lines of a poem I have memorized.
Posts: 22935 | Registered: Nov 2000  |  IP: Logged | Report this post to a Moderator
TommySama
Member
Member # 2780

 - posted      Profile for TommySama   Email TommySama       Edit/Delete Post   Reply With Quote 
My work changes the password every two weeks. I have taken to making other employees sign into the system for me.
Posts: 6396 | Registered: Feb 2006  |  IP: Logged | Report this post to a Moderator
Badvok
Member
Member # 1085

 - posted      Profile for Badvok   Email Badvok   Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by The Drake:
Actually, frequent password changes lower security rather than raising it. The reason is that users are more likely to write their passwords down - sometimes even on their whiteboard in the office. Meanwhile, when people are required to change the password, they will usually just change one letter or digit.

So very true.

My password for a number of unimportant internal work systems is of the form "PasswordN", where N is an ever increasing number, or if they have a check to stop that then I change the second letter to an 'i'. I keep track of where I am with each system in Outlook. That's what they get for asking me to change my password every 1 to 3 months.

Of course for personal stuff like banking I use proper passwords, one of which, according to that site, would take 39 Billion Years to crack [Smile]

And remote access to my home PC is via 1024-bit RSA key only [Smile]

Posts: 296 | Registered: Jun 2003  |  IP: Logged | Report this post to a Moderator
   

Quick Reply
Message:

HTML is not enabled.
UBB Code™ is enabled.
UBB Code™ Images not permitted.
Instant Graemlins
   


Post New Topic  Post A Reply Close Topic   Feature Topic   Move Topic   Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:


Contact Us | Ornery.org Front Page

Powered by Infopop Corporation
UBB.classic™ 6.7.1