World's Password Day: Today is World Password Day! You know what this means: all the effort we sometimes make to convince people not to believe in myths that are circulating, today seems to make sense, as every irrelevant website will flood social media with “tips security".
For example our well-known Nutella:
Today it's World Password Day: choose a word that's already in your heart. Like "Nutella", for example! #WorldPasswordDay #Nutella pic.twitter.com/Q9EERc6244
- Nutella (@NutellaGlobal) May 3, 2018
With the tweet above, the company is essentially suggesting that we use Nutella as code access γιατί είναι κάτι που αγαπάμε και δεν θα το ξεχάσουμε εύκολα. Ένας password cracker with constant computing power it will take less than 5 minutes to find the super duper Nutella code….
The wireless communication company CTIA on the other hand states:
It's World #PasswordDay! A reminder to change your pins / passwords frequently. Find more #WirelessTips on protecting your data here: https://t.co/j2jEW3AWnc pic.twitter.com/WLtpRyvzyy
- CTIA (@CTIA) May 3, 2018
“Global #PasswordDay! Reminder for frequent password changes ". Another successful tip!
Password Day: Finally what?
How often do you change your password? Surely some of them are old. In fact, most of us change our passwords only when something forces us to do it.
Typically, this can happen if we forget it or if the service we use requires us to create a new password. There are, of course, services that require new passwords every few months.
Which approach is right? Using the same password for years, or frequent changes? Below we will see the advantages and disadvantages of frequent password change:
It makes your account a bit safer
Η theory widely circulated is that frequently changing your password makes your account more secure.
The argument is of course true if you are the victim of a wanted leak, and frequent password changes will prevent a hacker from using your account constantly…
Does the argument seem right to you? Maybe yes, but it's not as clear as you would expect. The instantaneous breach of your account by a hacker is enough to cause very great damage. So frequent password changes only ensure that you do not have your account with the attacker.
On the other hand, even assuming that your new codes are stronger than the previous ones, the practice is of little benefit.
In a paper at Carleton University (PDF), researchers report that attackers who have access to a list of passwords can perform attacks by testing a huge number of passwords in a very short space of time. Low and medium power passwords are at risk.
The document proves mathematically that even frequent changes to strong passwords have failed to hinder attacks, and that the benefit is almost certainly not worth the inconvenience it causes to users.
The same document recommends system administrators to use slow shredding features like bcrypt. End users will not be bothered and the process makes it harder for attackers to quickly guess a large number of passwords.
Password Day: Your new password may not be safe
I'm sure you do not have to tell you how to create a strong password, but some information should be repeated:
Your password must use a combination of number and symbol letters (special characters).
It should use some uppercase and a few lowercase letters.
It should be longer than 12 characters.
By following the above conditions, you create codes that are powerful but are difficult to memorize.
But let's look at the scientific data. In 2010, researchers at the University of North Carolina published a paper entitled “The Security of Modern Passworth Expiration: An Algorithmic Framework and Empirical Analysis. "They studied the history of passwords from old bills that existed at the university.
The study looked at more than 10.000 old accounts and 51.141 passwords. The researchers performed a hash attack offline and eventually managed to reveal the 60% of the codes.
They then used that particular set of data to see if they could view other passwords linked to the account. The results were amazing. In 17 percent of cases, the next password used for the same account could be found in less than five seconds.
Why The study concluded that people tend to make very small changes when they frequently change a password. For example, iguru123 can become 1guru123, and newsiguru! could become igurunews !!, and so on.
When do you need to change your password?
If you suspect someone is accessing your account without your authorization, you will need to change your password. If you think someone was watching you when you entered your online banking credentials, you should change your password again. If you had to enter your password somewhere, you would of course have to change it.
And if you think you are a victim of a phishing fraud, you will need to change your password.
In all cases, you need to make sure that your new password has nothing to do with the old one. Do not use the same central word, and do not place the same special characters in the same positions. Of course, do not try to write your old password upside down.
Remember, you will also need to change your password to all other accounts that use similar passwords. For example, if your Facebook password is iguru1 and your Twitter password is 1iguru, you will need to change both.
But what about forced? reset passwords?
Is it a good idea for an application or service to force end users to create new passwords? Probably not.
In 2009, the National Institute of Standards and Technology said that regular password changes were "beneficial to reduce the impact of certain password compromises", but were "ineffective in other cases". Like an oracle from Pythia. Of course users are frustrated by the change of codes required every three or so. forced change.
All of the above arguments may sound complicated. Let's collect them a little:
Frequent password changes may make users marginally more secure only if the new password is extremely robust.
Forced (frequent) password changes often have a negative result, since users often choose less powerful, or a variation of old codes.
Unfortunately, because of the positions that some of us express openly and clearly, positions that hate entanglement, nonsense, greed and fraud, and because of the position that (does not) take what is called the State, which in turn abstains far from the desired State, we change codes as often as we change our shirts.
In the key, the issue is not to change codes but to finally let the State do its duty, to get the wish. As hard as it might be. So that we do not have to send to wikileaks and icij issues that act as "our life insurance policies".
I mention the latter literally.
Will you tell me now what I tell you…
Do not pay attention. I wanted to write out for a while the thoughts of some of us.