World's Password Day: Today is World Password Day! You know what that means: all the effort we make from time to time to convince people not to believe in myths circulating, today seems to make sense, as any irrelevant website will fill social media with "safety tips".
For example our well-known Nutella:
- Nutella (@NutellaGlobal) May 2, 2017
With the above tweet, our company basically suggests that we use Nutella as a password because it is something we love and we will not easily forget it. A password cracker with changed computing power will take less than 5 minutes to find the super duper code of Nutella….
The wireless communication company CTIA on the other hand states:
- CTIA (@CTIA) May 2, 2017
“Global #PasswordDay! Reminder for frequent password changes ". Another successful tip!
Password Day: Finally what?
How often do you change your password? Surely some of them are old. In fact, most of us change our passwords only when something forces us to do it.
Typically, this can happen if we forget it or if the service we use requires us to create a new password. There are, of course, services that require new passwords every few months.
Which approach is right? Using the same password for years, or frequent changes? Below we will see the advantages and disadvantages of frequent password change:
It makes your account a bit safer
Generally speaking, the theory is that frequent change of your password makes your account more secure.
The argument is of course true if you are the victim of a wanted leak, and frequent password changes will prevent a hacker from using your account constantly…
Does the argument seem right to you? Maybe yes, but it's not as clear as you would expect. The instantaneous breach of your account by a hacker is enough to cause very great damage. So frequent password changes only ensure that you do not have your account with the attacker.
On the other hand, even assuming that your new codes are stronger than the previous ones, the practice is of little benefit.
In a paper at Carleton University (PDF), researchers report that attackers who have access to a list of passwords can perform attacks by testing a huge number of passwords in a very short space of time. Low and medium power passwords are at risk.
The document proves mathematically that even frequent changes to strong passwords have failed to hinder attacks, and that the benefit is almost certainly not worth the inconvenience it causes to users.
The same document recommends system administrators to use slow shredding features like bcrypt. End users will not be bothered and the process makes it harder for attackers to quickly guess a large number of passwords.
Password Day: Your new password may not be safe
I'm sure you do not have to tell you how to create a strong password, but some information should be repeated:
Your password must use a combination of number and symbol letters (special characters).
It should use some uppercase and a few lowercase letters.
It should be longer than 12 characters.
By following the above conditions, you create codes that are powerful but are difficult to memorize.
But let's look at the scientific data. In 2010, researchers at the University of North Carolina published a paper entitled “The Security of Modern Passworth Expiration: An Algorithmic Framework and Empirical Analysis. "They studied the history of passwords from old bills that existed at the university.
The study looked at more than 10.000 old accounts and 51.141 passwords. The researchers performed a hash attack offline and eventually managed to reveal the 60% of the codes.
They then used that particular set of data to see if they could view other passwords linked to the account. The results were amazing. In 17 percent of cases, the next password used for the same account could be found in less than five seconds.
Why The study concluded that people tend to make very small changes when they frequently change a password. For example, iguru123 can become 1guru123, and newsiguru! could become igurunews !!, and so on.
When do you need to change your password?
If you suspect someone is accessing your account without your authorization, you will need to change your password. If you think someone was watching you when you entered your online banking credentials, you should change your password again. If you had to enter your password somewhere, you would of course have to change it.
And if you think you are a victim of a phishing fraud, you will need to change your password.
In all cases, you need to make sure that your new password has nothing to do with the old one. Do not use the same central word, and do not place the same special characters in the same positions. Of course, do not try to write your old password upside down.
Remember, you will also need to change your password to all other accounts that use similar passwords. For example, if your Facebook password is iguru1 and your Twitter password is 1iguru, you will need to change both.
But what about the forced reset of passwords?
Is it a good idea for an application or service to force end users to create new passwords? Probably not.
In 2009, the National Institute of Standards and Technology said that regular password changes were "beneficial to reduce the impact of certain password compromises", but were "ineffective in other cases". Like an oracle from Pythia. Of course users are frustrated by the change of codes required every three or so. forced change.
All of the above arguments may sound complicated. Let's collect them a little:
Frequent password changes may make users marginally more secure only if the new password is extremely robust.
Forced (frequent) password changes often have a negative result, since users often choose less powerful, or a variation of old codes.