Clark Morris wrote, in part: >Another thing that has always baffled is the idea that even if I have >a strong password that is NOT written down, I still should change it >once a month. If the site I am logging into enforces good management >by locking the account after say 5 attempts in 15 minutes thus >allowing no more that 16 attempts an hour or 140544 attempts a year, >how is not changing my password going to make that much of a >difference since at 1,404,544 attempts in 10 years that is still a >small fraction of the 656 billion possibilities with a 8 character >password assuming ONLY 30 characters in a character set?
I share this reservation to some extent. I believe that for most uses, there are (at least) two types of systems: 1) Those we as end-users take seriously 2) Those we as end-users don't take seriously By that, I mean that class 1 is our bank, work (hopefully!), healthcare provider -- systems like that; class 2 is our Outback Curbside Takeway login, that online store where you had to register to buy something and will likely never visit again, et al. Now, assuming that people follow such a scheme (and I know many don't--which puts all sites into class 2), then I'd argue that the following logic applies. With class 1, I see no good reason to force frequent changes. Occasional changes -- maybe; I'm not entirely convinced but not entirely UNconvinced, either. There's some validity to an argument that the longer a password gets used, the more likely it is to be accidentally revealed by shoulder-surfing or other means, but that seems pretty thin. For class 2, the argument is that people reuse passwords. They have to: unless they use a password manager (which adds its own risk), then who's going to remember the login for JoesHamsterShack.com three years from now? No, instead we use our "usual" password, adding "1" (or "9", or some other well-remembered digit) when it says "Must contain a digit", and some equally consistent piece of punctuation when we need that. Similarly, we use the same userid, adding digits if needed. That way we can send ourselves a note saying "JoesHamsterShack.com login: usual/usual123", and three years from now, we can look at that note and with reasonable certainty say "Ah, right, that means the userid is <x> and the password is <y>". So far so good. But the problem is that Joe sells hamsters: he isn't an IT security guy. So when he gets hacked, and it turns out that his user database is plaintext--not even hashed passwords--then there's a risk that someone who gets a copy of that database will try our usual/usual123 combination on SamsSnakeHouse.com and get in (yes, this assumes you have an eclectic pet collection!). How big is that risk? Not clear, in large part because we don't generally find out how an ID gets hacked; add in the fact that spoofed email still happens, so people often THINK they've been hacked when they haven't really, which muddies the waters further. Yahoo! mail, for instance, is well-known to be "porous", in that we get tons of spam from correspondents who use Yahoo! mail, correctly targeted at our email (and with other correspondents of theirs on the To: line), which makes us think that "their ID must have been hacked--otherwise how would it have known to send mail to folks in their address book?" That's a logical conclusion, but it happens so often that either Yahoo! is wildly incompetent (possible, but unlikely) or there's some OTHER way that folks get ahold of Yahoo! address books, without actually getting at Yahoo! email accounts. We just don't know. So...changing class 2 passwords periodically isn't the world's worst idea. Painful? Yes. Every month? Be serious--that's always struck me as stupid: it *guarantees* that I'm either going to write them down or use a pattern (hamster1, hamster2, hamster3...). This is all made more complicated when we use multiple, random machines and/or share accounts with our spouses: if I kept changing our Amazon password every month to one of those recommended random strings of bytes, my wife would be irritated (or I'd have to email her the password, which would be insecure). And I'd never manage to get logged on anywhere but my home machine! ObAnecdote: My dad was fluent in many languages. When he taught at the University where I worked, he sent me a list of the 12 months in one of those languages, and told me that he used one of those as his password; not always in sync with the current month, but pretty close. So if I needed to get on one of his IDs today (were he alive and I still working there), I'd have tried "may" in that language; if it didn't work, "april" or "march" would have. Worked well and seemed fairly secure. As Heather Adkins of Google said (and Heartbleed reinforced), "Passwords are dead". The problem is that we don't have a good, universal replacement (yet?). ...phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
