I fell way behind on episodes, so just finished this one today. Sorry for the necro.
Yeah, but how much less secure is my strong password after a year, compared to after 3 months? Is 3 months some sort of optimized compromise between how often hackers get access to my mid-sized engineering consulting company's password list and how often I need to enter my password? Or is it some arbitrary bullshit thing that makes upper management feel better, as per TSA theater at the airport?How less secure it is after a year compared to 3 months depends entirely on how often you re-use that password, because the more it is reused and the more time as passed, the likelier that the password has been stolen from a hacked website on which you used it. Once that happens, all your other accounts using the same password are highly vulnerable.
Right, password change policies are a response to bad password practices (i.e. reusing the same one for multiple services). But if you have different passwords for everything, there's no risk in keeping the same one indefinitely for any particular service, as long as that service isn't hacked. (Or if you think they won't reveal hacks, change it as often as you think that's likely to happen.)
Plus part of the reason people reuse passwords is because recommendations often amount to suggesting passwords that are harder to remember than to brute-force guess.
That's not how large-scale attacks work. They work by compromising the service and stealing the database of hashed and salted passwords (pray that they are at least hashed and salted!) They can then run unconstrained offline attacks on these databases using dictionaries and, if they manage to find the salt, rainbow tables. Then, once they've obtained your password through an offline attack, they will use it to log in.
Yeah, I'm immediately suspicious of any site with an overly restrictive length requirement for passwords, because it suggests they're doing something with the plaintext password (possibly even storing it that way).
Again, I don't use guessable passwords.If it's 10 characters or less and contains any dictionary words, it probably wouldn't last very long against an offline attack.
Sure, but remember the community you're talking to here. I can't speak for Daniel but my bank password is something like "CRd9P59Bl63l+DSYZ/kG", and my first Google passphrase was "I wouldn't have thought this morning that today would be the day I changed my password to this." It doesn't quite
have the full entropy of random English sentences (as it's self-referential about changing a password), but I suspect it's still got around 96 bits of entropy or so.
Strong passwords help protect against this, but the older they are the greater the likelihood they have been cracked or stolen.
More significantly, the more reused they are the greater likelihood they have been cracked or stolen. Using the same unique password for a long time for office intranet (for a company unattractive to hackers), which seems to be where most of the ridiculously frequent password-change policies come from, is probably considerably less risky than using one password for a bunch of your things and changing it every couple of months.