P
P
Pontific2013-02-27 21:43:26
Passwords
Pontific, 2013-02-27 21:43:26

Why change passwords periodically?

Changing passwords periodically is often called an elementary information security rule, but does a complex password "corrupt" over time? If he was picked up, would the attacker give the victim time to change him?

Here Qiwi wallet, for example, forces you to constantly change the password and does not allow you to use the already used one. Why this is necessary, their support service could not explain to me.

Even Microsoft has calculated: it is not profitable to change passwords .

Do you think it should be changed?

Answer the question

In order to leave comments, you need to log in

12 answer(s)
I
Igor Smirnov, 2013-03-01
@Pontific

1. If we are talking about user passwords in an organization, then, among other things, changing passwords protects against situations where a user gives his password to another employee during illness or another emergency (despite the fact that this is usually prohibited by the organization’s information security policy, such situations cannot be avoided) if you do not change passwords forcibly, then in a year we will get a situation where everyone within the department knows each other's passwords.
2. Users have a sad habit of using the same password everywhere - the more places a password is used, the more likely it is to be compromised. If you don’t change passwords, it may well turn out that because of the hacking of the “plush” site, the accounts of the same kiwi, where there is quite real money, are under threat - in order to avoid unnecessary problems, they force them to change passwords (so that at least on their site users have passwords are unique) (IMHO)
3. As mentioned above - brute force if the password is never changed, then for "unlimited time" a year or two - the password can still be brute force (the option of 20-30 incoherent characters is not considered "regular" users rarely use these)
PS: despite the article, in its policy recommendations - MS still says that passwords should be changed periodically and not repeated :)

D
Daedmen, 2013-02-27
@Daedmen

They stole it today - they used it after standing for some time: so change for righteous paranoia

C
cepera_ang, 2013-02-27
@cepera_ang

This is idiotic fun of paranoids from IS. Theoretically, this is supposed to increase protection by incredible amounts, in practice it creates only inconvenience. A normal password, it is almost impossible to bootforce more than a dozen characters, especially if there is at least minimal protection, such as a delay of at least a second between password entries. The only risk that can be reduced is that the use of a stolen password is not an infinite time, but until the next shift - how relevant this is is difficult to assess, except that if someone is spying, the password from financial systems, etc. can be used by an attacker in a couple of seconds. In short, one cons - especially for rarely used systems - you go there once a month and every time the password does not work because the time to change has passed, you reset it, etc. I saw the system once

S
sefus, 2013-02-27
@sefus

For systems without brute force protection, you need to change.
Let's say the password has a certain number of characters, the complete enumeration of which takes an attacker a year. If you do not change the password, then in a year, the account is guaranteed to be stolen. And if you change every month, then the probability of theft is always about the same and it is much less.

P
pavelsh, 2013-02-28
@pavelsh

And the following touches me in this situation - frequent password changes force users to write a piece of paper and glue it to the monitor, because they cannot remember “a long and complex password, which must contain letters in both cases, numbers and punctuation marks”

L
Loreweil, 2013-02-28
@Loreweil

Most of the time it's paranoia. As for the length of the password, it is not so much its length that is important as its entropy, many brute-forces first of all run through the dictionaries of the most frequently encountered passwords and, for example, the password AlbertEinshteinIsTheBestScientistEver111 is much easier to crack than Qhj4bnN5fD.
By the way, many large organizations have long been solving this problem by introducing two-factor authentication, that is, a complex long password is stored on an electronic USB key or smart card, which, in turn, is accessed using a six-digit digital pin code. It turns out that the user needs to have a USB key and know the pin code to enter the system. Of the benefits: there is no need to remember wild passwords, changing the real password is painless for the user (after all, the pin code can be left the same), since the password is not entered from the keyboard and there is no need to write it down on a piece of paper and hide it under the keyboard, the risk of compromise is reduced password. Of the minuses: if the key is lost, it may take some time to restore it, and in some cases, paperwork (write an application to the head of the IT department, etc.).

N
Nikolai Turnaviotov, 2013-02-27
@foxmuldercp

In general, I only have one password less than 20 characters, the rest are over 20. I don’t know a single password and abracadabra like
“HTkveEDk*'VoL”{37RUJKiUpipJuFmAoq[lW})o,” only the password manager remembers, the database of which automatically disperses to all machines authorized in the cloud with a local copy + a couple of copies somewhere
offline.In the manager, I prescribe the date of the password change and try to change it all once every six months.Changing
all passwords for all accounts takes a maximum of half an hour, in which case.so
somehow so.

I
IrkDesigner, 2013-02-28
@IrkDesigner

It all depends on the criticality of the information in the user's information system. If the information is quite critical and is of interest to an attacker for a long time (for example, gaining access to the results of an ongoing study, design drawings, etc.), then it would be more reasonable to use a password change. This measure will help to avoid "permanent" information leakage - in the event of a compromise, the user will only have compromised work data that was entered before the password change. After changing the password, the attacker will lose access to user data.
In the same case, if the attacker's goal is to disable systems or perform another single operation (the same transfer of funds), then changing the password is desirable, but not required. An attacker will fiddle with a strong password of a dozen and a half characters for quite a long time, and even then only if he is sure that the game is worth the candle.

A
ansv, 2013-02-28
@ansv

The password can not only be brute force. If you turn on the paranoid mode, then:
1. If the password is used in several places, and one of these places kept it in the clear, and then the password database was stolen from them, then your unchangeable password will become known to the attacker.
2. The more often a password is entered, the more likely it is that someone watching the input will be able to remember it. Moreover, it is not necessary to remember the entire password - any information received will facilitate brute force.
3. If the information is critical and someone VERY wants to look at it, then a brute force option is also possible.

S
SergeyGrigorev, 2013-02-27
@SergeyGrigorev

It may be advantageous to change passwords in case of a computer change. For example, you set up "remember password" and then changed your computer. You can change it for many reasons, a new workplace, a new “hardware for working with productive software”, etc. In most cases, you can simply forget to remove the password manually, because. a simple uninstallation of the program may leave the previous settings and, after reinstallation, simply pick them up on the fly.

A
Alexey, 2013-02-27
@Sterhel

AlfaClick just today forced me to change my password again without fail.
Moreover, they do not allow me to use the password that I previously used, about two years ago.

K
kimssster, 2013-03-02
@kimssster

I think it should be within reason. Otherwise, the policy is to change the password every 2 months: passwords are not repeated, symbols are prohibited in a row, etc., the level of information security increases ... no matter how, users cannot remember passwords from 3-7 systems in which they work, as a result, a sheet with passwords is somewhere on the table, and no brute force is needed. And taking into account the fact that a strong password is difficult to brute force, the relevance of critical information during brute forcing may disappear. I think that 2 factor authentication with strong passwords is more effective than changing passwords every 2-3 months. And from an organizational point of view, it is easier, provided that one of the identifiers is compromised, blocking the entire profile.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question