World's Password Day: Today is World Password Day! You know what this means: all the effort we sometimes make to convince people not to believe in myths that are circulating, today seems to make sense, as every irrelevant website will flood social media with "safety tips".
For example our well-known Nutella:
- Nutella (@NutellaGlobal) May 3, 2018
With the above tweet, basically the company suggests we use Nutella as a password because it's something we love and won't forget easily. A password cracker with infinite computing power will take less than 5 minutes to find the super duper Nutella password….
The wireless communication company CTIA on the other hand states:
- CTIA (@CTIA) May 3, 2018
“Global #PasswordDay! Reminder for frequent password changes ". Another successful tip!
Password Day: Finally what?
How often do you change your password? Surely some of them are old. In fact, most of us change our passwords only when something forces us to do it.
Typically, this can happen if we forget it or if the service we use requires us to create a new password. There are, of course, services that require new passwords every few months.
Which approach is right? Using the same password for years, or frequent changes? Below we will see the advantages and disadvantages of frequent password change:
It makes your account a bit safer
Generally speaking, the theory is that frequent change of your password makes your account more secure.
The argument is of course true if you are the victim of a wanted leak, and frequent password changes will prevent a hacker from using your account constantly…
Does the argument seem right to you? Maybe yes, but it's not as clear as you would expect. The instantaneous breach of your account by a hacker is enough to cause very great damage. So frequent password changes only ensure that you do not have your account with the attacker.
On the other hand, even assuming that your new codes are stronger than the previous ones, the practice is of little benefit.
In a paper at Carleton University (PDF), researchers report that attackers who have access to a list of passwords can perform attacks by testing a huge number of passwords in a very short space of time. Low and medium power passwords are at risk.
The paper proves mathematically that even frequent changes of strong passwords failed to deter attacks, and that the benefit is almost certainly not worth the inconvenience it causes to users.
The same document recommends that system administrators use slow functions hash like bcrypt. End users won't be bothered, and the process makes it harder for attackers to quickly guess a large number of passwords.
Password Day: Your new password may not be safe
I'm sure you do not have to tell you how to create a strong password, but some information should be repeated:
Your password must use a combination of number and symbol letters (special characters).
It should use some uppercase and a few lowercase letters.
It should be longer than 12 characters.
By following the above conditions, you create codes that are powerful but are difficult to memorize.
But let's look at the scientific data. In 2010, researchers at the University of North Carolina published a paper entitled “The Security of Modern Passworth Expiration: An Algorithmic Framework and Empirical Analysis. "They studied the history of passwords from old bills that existed at the university.
The study looked at more than 10.000 old accounts and 51.141 passwords. The researchers performed a hash attack outside connectionand finally they managed to reveal 60% of the codes.
Then they used this set data to see if they could view other passwords connected to the account. The results were amazing. In 17 percent of cases, the next password used for the same account could be found in less than five seconds.
Why The study concluded that people tend to make very small changes when they frequently change a password. For example, iguru123 can become 1guru123, and newsiguru! could become igurunews !!, and so on.
When do you need to change your password?
If you suspect someone is accessing your account without your authorization, you will need to change your password. If you think someone was watching you when you entered your online banking credentials, you should change your password again. If you had to enter your password somewhere, you would of course have to change it.
And if you think you are a victim of a phishing fraud, you will need to change your password.
In all cases, you need to make sure that your new password has nothing to do with the old one. Do not use the same central word, and do not place the same special characters in the same positions. Of course, do not try to write your old password upside down.
Remember, you should also change your password on all other accounts that use similar passwords. For example, if your code in Facebook is iguru1 and your twitter code is 1iguru, you should change both.
But what about forced? reset passwords?
Είναι καλή ιδέα για μια εφαρμογή ή μια υπηρεσία να εξαναγκάζει τους τελικούς χρήστες σε creation new passwords? Probably not.
In 2009, the National Institute of Standards and Technology said that regular password changes were "beneficial to reduce the impact of certain password compromises", but were "ineffective in other cases". Like an oracle from Pythia. Of course users are frustrated by the change of codes required every three or so. forced change.
All of the above arguments may sound complicated. Let's collect them a little:
Frequent password changes may make users marginally more secure only if the new password is extremely robust.
Forced (frequent) password changes often have a negative result, since users often choose less powerful, or a variation of old codes.