Author Topic: Changing passwords  (Read 873 times)

0 Members and 1 Guest are viewing this topic.

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5383
  • Cat Lovers Against the Bomb
Changing passwords
« on: November 22, 2017, 01:23:57 PM »
This morning I wanted to log onto a web site, and it informed me that I had to change my password. Furthermore, my new password had to have at least one letter, one number, and one special character. Yet I have other web sites that never require me to change my password. I argue that changing my password accomplishes nothing except to make it harder to remember my password so that I have to keep it written down. Some, but not all, site admins seem to think that forcing me to change my password will make my account more secure.

I'm wondering what folks think: Should I be changing my passwords all the time? I use passwords that are not actual words, have no connection to any personal information about me, and that nobody is ever going to guess.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline moj

  • beer snob
  • Reef Tank Owner
  • *********
  • Posts: 9167
Re: Changing passwords
« Reply #1 on: November 22, 2017, 01:26:38 PM »

Online Friendly Angel

  • Frequent Poster
  • ******
  • Posts: 3325
  • Post count reset to zero in both forum apocalypses
Re: Changing passwords
« Reply #2 on: November 22, 2017, 01:28:23 PM »
I also contend that requiring the changing of passwords frequently winds up in creating passwords that are EASIER for the bad guys to guess... because they're easier for us to remember.
Amend and resubmit.

Offline Ah.hell

  • Poster of Extraordinary Magnitude
  • **********
  • Posts: 11495
Re: Changing passwords
« Reply #3 on: November 22, 2017, 01:46:44 PM »
If you use the same password on multiple sites and some might give financial access if hacked, I'd say change them.  A few years ago I heard the suggestion to make a password based on a simple to remember formula that is impacted by the websites name.  That way every password is different but easy to remember and unless someone is after you in particular and knows you have such a system, you can only loose one password at a time. 

I've slowly incorporated this into my life.  It has made my life better but everyone once in awhile I come across a site that has requirements outside the parameters of my formula.  A site that won't let you use certain characters or what not. 

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5383
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #4 on: November 22, 2017, 02:33:33 PM »
On sites of zero importance (e.g. posting comments on ZDNet) I use the same password, fairly simple though unlikely to be guessed. On sites that have financial or other important information, I use a separate password for each site, entirely unique, and that nobody is going to guess. A password is like the lock on your door. The point is not to make it impossible to get through the door. The point is to make it harder to pick the lock than than it is to just smash your way into the house. When/if my accounts are hacked, it won't be by way of guessing my password.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Online arthwollipot

  • Stopped Going Outside
  • *******
  • Posts: 5791
  • Observer of Phenomena
Re: Changing passwords
« Reply #5 on: November 22, 2017, 04:15:42 PM »
No, it's not strictly necessary, so long as you have a sufficiently complex password in the first place. But it's not about you. The vast majority of people who use password-protected sites use crappy passwords, and these policies are in place for them.

Sometimes those of us with a modicum of knowledge about online security have to deal with policies that are designed for idiots.

For me, I find that LastPass does an adequate job of managing my passwords. But then again, I have no need for anything above moderate security.

Offline The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5326
Re: Changing passwords
« Reply #6 on: November 22, 2017, 04:38:46 PM »
Lastpass. Use it. Love it. All my passwords are long and randomly-generated and I only need to remember one very secure master passphrase.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5383
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #7 on: November 22, 2017, 05:19:02 PM »
No, it's not strictly necessary, so long as you have a sufficiently complex password in the first place. But it's not about you. The vast majority of people who use password-protected sites use crappy passwords, and these policies are in place for them.

Sometimes those of us with a modicum of knowledge about online security have to deal with policies that are designed for idiots.

For me, I find that LastPass does an adequate job of managing my passwords. But then again, I have no need for anything above moderate security.

Does it make those folks more secure to continually change their weak passwords? That is, does changing a weak password regularly, for another weak password, make you any more secure?

The problem I have with password managers is that if someone breaks into my password manager, they'd get access to ALL my sites.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5326
Re: Changing passwords
« Reply #8 on: November 22, 2017, 05:29:45 PM »
The problem I have with password managers is that if someone breaks into my password manager, they'd get access to ALL my sites.

But how are they going to break into your password manager? Literally nobody besides me knows my master passphrase—not even LastPass. It is hashed on my computer and transmitted to LastPass over SSL to avoid interception.  There it is hashed again before storage. Even if someone were to steal LastPass’s hash of my hashed password, it would me impracticable to calculate a hash collision that would allow my passwords vault to be accessed.

I suppose a keylogger installed on my Mac might work, or if someone were able to establish a man-in-the-middle they might steal the hash the software sends to Lastpass. But then, even if they were able to obtain that they couldn’t gain access to my vault without physical access to my phone and my fingerprint to verify the login.

So...yeah...I’m pretty confident my passwords are safe.
« Last Edit: November 22, 2017, 05:33:29 PM by The Latinist »
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5383
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #9 on: November 22, 2017, 07:02:52 PM »
I'm not worried that someone might guess the master password. I'm worried about a flaw in the password manager app that allows a hacker to gain control of the program.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline moj

  • beer snob
  • Reef Tank Owner
  • *********
  • Posts: 9167
Re: Changing passwords
« Reply #10 on: November 22, 2017, 07:12:06 PM »
It has happened before.

https://www.theguardian.com/technology/2017/mar/30/lastpass-warns-users-to-exercise-caution-while-it-fixes-major-vulnerability

Quote
Password manager LastPass is advising users to avoid using its browser plugins while it battles to fix a “major architectural problem”, which could allow an attacker to steal passwords or execute code.

The vulnerability was discovered by Tavis Ormandy, a security researcher at Google, who tweeted about its existence over the weekend. Keeping with responsible disclosure norms, Ormandy did not publicly state how the bug is exploited, and informed LastPass of its existence.

Offline Belgarath

  • Forum Sugar Daddy
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 11310
Re: Changing passwords
« Reply #11 on: November 22, 2017, 10:55:16 PM »
If a site suspects they’ve been hacked, it is good security practice to make you change your password.

Yes,  LastPass has been hacked, but NO ONE has ever gotten access to a LAstPass user’s passwords without first knowing the master password. Their security on that is really good.

In addition to knowing my master password, unless you have my physical key (yubikey) you’re not going to get access to my passwords. 


Sent from my iPad using Tapatalk Pro
#non-belief denialist

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5383
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #12 on: November 23, 2017, 10:12:46 AM »
If a site suspects they’ve been hacked, it is good security practice to make you change your password.

Agreed. But some sites make you change your password on a regular basis when they have no reason to think they've been hacked.

In addition to knowing my master password, unless you have my physical key (yubikey) you’re not going to get access to my passwords. 

Great idea. No help, though, when I'm using my iPad.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline Belgarath

  • Forum Sugar Daddy
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 11310
Re: Changing passwords
« Reply #13 on: November 23, 2017, 11:01:33 AM »
If a site suspects they’ve been hacked, it is good security practice to make you change your password.

Agreed. But some sites make you change your password on a regular basis when they have no reason to think they've been hacked.

In addition to knowing my master password, unless you have my physical key (yubikey) you’re not going to get access to my passwords. 

Great idea. No help, though, when I'm using my iPad.

Then you set up a secondary method for getting your second factor.  Essentially you use google authenticator for the same thing.

Forcing you to change your password regularly came from NIST back in the 90's.  Just last year they updated that advice and do not recommend it anymore.

BTW, I disagree with the XKCD comic.  If you use a series of real words, your entropy is less than if you use a random series of letters, numbers and symbols of the same length.  By using just a long series of words, you are subject to a classic dictionary attack and you greatly reduce the search space.


ETA:  Try me here:

https://www.grc.com/haystack.htm

Use a random series of letters and numbers OF THE SAME NUMBER OF CHARACTERS as a long series of real words.
« Last Edit: November 23, 2017, 11:03:38 AM by Belgarath »
#non-belief denialist

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5383
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #14 on: November 23, 2017, 11:13:19 AM »
The problem for me with two-factor using the phone is that I go places where I have internet access and want to access web sites, but where there is no cell service. Are there other commonly-used two-factor methods that do not depend on cell service or having USB on the device?

On brute-force password guessing, I don't know if they do this, but a simple way to defeat this would be to enforce a one-second wait between guesses. Another that many web sites do use is that after three failed attempts, or some other arbitrary small number, the account is locked. I don't think that iOS uses either for access to phones and tablets. But I'm much less concerned about access to my devices than access to my banking site.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

 

personate-rain