Please do not change your password

[RonBoyd]

Please do not change your password - The Boston Globe

Quote:

You were right: It’s a waste of your time. A study says much computer security advice is not worth following.

Quote:

Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.

Quote:

So which security measures offer a reasonable return on time and effort? ... he is big on one-time measures that offer ongoing benefits, like installing the latest software to shield against viruses and spyware (set it to automatically update). ... The company also recommends activating a firewall, which “functions like a moat around a castle.” ... offer insulation from what is perhaps the biggest security menace of all: users.

[ERD50]

Quote:

Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.

Thanks, now I feel much better about not changing my passwords. Procrastination often has rewards!

Seriously though, this has given me one more kick-in-the-butt that I need to get a real PW system set up. I don't want to do that if I have to change them too. I know you should have longer more complex PWs for the stuff you care about. I know there are many ways to do this and still make it easy to remember for the user. Like if you turn 60 today, maybe you include the string 'A15NtFt' which you recall as April 15, 1950, plus something unique to the site that you can remember. I just need a real system for this. Procrastination often has risks!

The mnemonic thing seems best. When I switched from TurboTax to TaxAct, after being aggravated with TT, but unsure that TA was better, my PW included something like (but not this of course) Gosh, I Sure Hope This Is Better Than Turbo Tax, so the mnemonic is GISHTIBTTT_A15NtFt

So even if you have that written down somewhere (like in your wallet, on your cell phone), a thief probably won't figure out the mnemonic (you could even throw in a word or two that you know you don't use to throw that off. Plus, don't write down the A15NtFt, just write _BD, and you know to add that. So they never have the whole thing. I'd even use some reminder for what web-site it is rather than write down "Vanguard, multi-billion dollar accounts'.

Maybe someday I'll actually do this, but it is 70F and sunny and will be 80F later, not today after our long winter.

-ERD50

[IndependentlyPoor]

Quote:

Originally Posted by ERD50 Maybe someday I'll actually do this, but it is 70F and sunny and will be 80F later, not today after our long winter.

I believe you have a Mac, so you might consider using the built-in Keychain Access application. The system uses it to manage security certificates, email passwords, and Safari might use it to remember passwords to websites. (I use Firefox, so not up on Safari).
Anyway, Keychain Access also has a Secure Note feature. I use it to store passwords, and other important stuff like credit card numbers. Keychain Access has spotlight feature, so it is easy to find what you want, even if you many stored notes.
When you try to open a note, it prompts you for your login password. Actually, several levels of security are possible, IIRC.
I've been using it for years, and am very pleased with it. However, paranoia prevents me from recording my bank or investment account passwords, in secure notes or otherwise.

[Leonidas]

Quote:

Originally Posted by ERD50 Like if you turn 60 today, maybe you include the string 'A15NtFt' which you recall as April 15, 1950, plus something unique to the site that you can remember.

The only problem with using passwords that have similarities like that is that once a bad dude hacks into one of the easy sites that have poor security, it's a lot easier to backwards engineer that to access the more secure sites. If you used A15NtFtFacebook, I could figure out A15NtFtFidelity, or A15NtFtUSBank, etc.

But, low hanging fruit is always easiest to pluck, and there are too many people who still use "Password", "Secret", or A15NtFt for everything.

The only place I ever sign on to anything is at home, so I feel okay about keeping my passwords written down. I let Firefox remember some of them, but anything financial is always entered manually. For a few sites I have allowed them to install cookies so they can recognize the computer as one I am associated with, I still log in using a password - it just doesn't ask me the security questions I set up. If I were ever to sign on using a different computer, it would ask me what was my first car, the name of my dog, etc., after I entered the pword.

I'm behind a NAT server with firewall, and my browser and Windows7 are set to automatically update. I feel pretty safe, as long as I'm careful and don't click on the wrong link or install some crapware.

For anything really sensitive, I use passwords that are at least 8-10 characters long, and have a mixture of upper and lower case letters in random order, interspersed with numbers and symbols. Brute force hacking to find "A8)p-3Lg*4Q" would take a zillion years to hack.

[ziggy29]

You don't change passwords to deter determined, expert hackers. You change passwords to eliminate "crimes of opportunity" by low-grade punks looking to pick the easy, low-hanging fruit.

[RonBoyd]

Quote:

Originally Posted by ziggy29 You don't change passwords to deter determined, expert hackers. You change passwords to eliminate "crimes of opportunity" by low-grade punks looking to pick the easy, low-hanging fruit.

Out of curiosity, how, exactly, would the new password be "better" than the old one simply through change in 0's & 1's?... in detering non-determined, non-expert hackers?

[ziggy29]

Quote:

Originally Posted by RonBoyd Out of curiosity, how, exactly, would the new password be "better" than the old one simply through change in 0's & 1's?... in detering non-determined, non-expert hackers?

They may not have sophisticated techniques to try a huge number of "easy" passwords in a short period of time.

When I was a Unix system administrator, we had a program called "crack" which tried millions of times to guess passwords of users by repeatedly trying common words phrases -- and close variants of common words and phrases. Some of these could be cracked in seconds, whereas some of the more "random" passwords with upper case, lower case, digits and special characters couldn't be cracked at all.

Now a high-level sophisticated user targeting an individual (or an individual server) might be able to take billions of "cracks" at a single login. This is why most consumer-grade "password security" is really only trying to stop the ability to crack "easy" or "intuitive" passwords. And it's why if someone with sufficient skill and determination *really* wants in, they'll get in unless they are caught before finishing the deed.

Also, a low-quality casual "hacker" may know enough about an individual that if they choose something that's identifiable to themselves, it doesn't take too many guesses to get in. (This is also why some applications lock out a user login for a period of time after X failed logins.)

[RonBoyd]

Quote:

Originally Posted by ziggy29 They may not have sophisticated techniques to try a huge number of "easy" passwords in a short period of time.

Okay, that was my mistake. I was assuming that the old password was as "sophisticated" as the new one would be. So my question should have been: If you have a strong (secure as can be) password, what advantage is there to replacing it with another of equal value? Seems to me (and the point of the article) that is merely a waste of time.

[ERD50]

Quote:

Originally Posted by IndependentlyPoor I believe you have a Mac, so you might consider using the built-in Keychain Access application.

Thanks, maybe I should look into that, but I actually lean towards super-low-tech solutions for things like this. Kind of like using speed dial all the time, if I'm away from my phone, I can't remember the number. And I do spend time on my linux netbook, or occasionally log in from different places (generally unimportant sites). I also get concerned that these get broken during a system upgrade or something, so I need a backup plan anyhow (though that can be stored away from the computer).

My low tech paper back up for DW is three separate sheets of paper with url, login and PW on separate sheets. And they are offset, but there is one (obvious to us) phony one in there, and that is the key to line them up.

I use my ATM card so rarely, I have the PIN buried in the phone number of a fictitious Aunt in my phone list. Easy for me to find, no one else would know.

Quote:

Originally Posted by Leonidas The only problem with using passwords that have similarities like that is that once a bad dude hacks into one of the easy sites that have poor security, it's a lot easier to backwards engineer that to access the more secure sites. If you used A15NtFtFacebook, I could figure out A15NtFtFidelity, or A15NtFtUSBank, etc. But, low hanging fruit is always easiest to pluck, and there are too many people who still use "Password", "Secret", or A15NtFt for everything.

Agreed, and my plan is to have a reasonably secure PW to start with (not 'Facebook', etc), and then append that A15NtFt just to add complexity to it. So even if a bad guy got that key, he'd have to figure out the other part. And like you say, there is lower hanging fruit in most cases.

-ERD50

[Alan]

The article didn't mention "social engineering" to get past the security questions such as when Sarah Palin's e-mail was hacked. User names are often easier to guess so you say you have lost your password and if you are lucky get a security question or two that you have researched such as mother's maiden name, or name of place you went to High School etc.

I'm not sure if banks and the like have tougher restrictions if you forget your password than relying just on the answers to security questions.

Two of the financial sites that I use have passwords that are a little out of the normal type. Treasury Direct uses a "virtual keyboard" to fool keyboard loggers, plus a variable code you enter from a card you were issued with.

With my HSBC UK bank I had to pick an 8 digit number and each time I log in I have to enter my date of birth (UK date style) and then I get asked for 3 of the 8 digits such as "Enter the 2nd, 4th and next to last numbers". In the early days of this I got it wrong 3 times and locked the account and had to speak with a security person who asked a bunch of questions, and then said my new, temporary password would be mailed to the physical address on record. A real PITA, as then I had to wait for overseas mail but I haven't accidentally locked the account since

[Bestwifeever]

The most common password is 123456. Second most common is 12345. Some creative minds at work there!

[RonBoyd]

Quote:

Originally Posted by Bestwifeever The most common password is 123456. Second most common is 12345. Some creative minds at work there!

So they must work (provide sufficient security)... otherwise the "Darwin" principle would have forced them down the list.

[WanderALot]

Quote:

Originally Posted by ERD50 Thanks, maybe I should look into that, but I actually lean towards super-low-tech solutions for things like this. Kind of like using speed dial all the time, if I'm away from my phone, I can't remember the number. And I do spend time on my linux netbook, or occasionally log in from different places (generally unimportant sites). I also get concerned that these get broken during a system upgrade or something, so I need a backup plan anyhow (though that can be stored away from the computer).

We switched to KeePass a year or so ago and it's been working great: KeePass Password Safe | Get KeePass Password Safe at SourceForge.net

The database is encrypted with a single password and when you want to login to a site, you can perform an 'auto-type' where it will type in the username and password into your browser window. You can also copy the username/pass into your clipboard which will then be cleared out after a certain period of time.

Keepass can also generate strong passwords which you don't have to worry about remembering since you can auto-type or cut and paste it.

Best of all, it's DW approved! DW would use 'the' as a password if she could.

[donheff]

Quote:

Originally Posted by Leonidas The only problem with using passwords that have similarities like that is that once a bad dude hacks into one of the easy sites that have poor security, it's a lot easier to backwards engineer that to access the more secure sites. If you used A15NtFtFacebook, I could figure out A15NtFtFidelity, or A15NtFtUSBank, etc.

I use an approach somewhat like what ERD mentions and I think it is fairly secure. When someone breaks into a site they don't get clear text passwords. They get an encrypted password file. They run cracker software against it and break the easy passwords though dictionary programs and brute force. It is unlikely that the complex password would get decrypted. I suppose some sites may use ridiculously weak encryption and pose a bigger risk. But sites that matter like banks, brokerage houses, etc are not in that category. Use a simple PW at routine websites and ERD type passwords at critical sites. For the most part I don't think of online shopping sites as falling in the critical category. Crackers tend to grab customer names and credit card numbers from them, not passwords. I just chalk up a CC compromise to the cost of living. It is a minor hassle but no cost to me. If you worry about CC numbers you can always use something like one time numbers.

[Rustic23]

When I create a password, I email it to myself at my gmail account, then put it in a folder that is labeled Keep. Ok, someone could hack my email account and get my password. If the figured out fireuhabales23$tpjdiel@3dk08 then they may be able to figure out how to log onto this site and leave some really nasty threads. So if you see any from me, remember someone hacked my gmail account.

[Leonidas]

Quote:

Originally Posted by donheff When someone breaks into a site they don't get clear text passwords. They get an encrypted password file.

I always thought that was the case until I watched a documentary on cyber crime and they explained how there are some sites out there that have almost no security at all, and that hackers would steal names and passwords there, and then go try the same name and password on more secure sites. Some people just use the same info for every website.

[smjsl]

While programs buy you convenience, I don't really want to trust them with most important passwords (imagine some virus hacking into them). I like the low-tech approach where I have a simple encoding / decoding scheme I can do in my head and use it to record passwords on a piece of paper. Another part of the password I memorize (or you can think of it as part of the encoding scheme). So, even if some super-hacker finds the piece of paper (how likely is that?!), it would be pretty meaningless to them since at least part of the password is in my head... and I have a good encoding scheme too

One remaining piece: some way to fight the keyloggers, rootkits, and any other spyware...

[donheff]

Quote:

Originally Posted by Leonidas I always thought that was the case until I watched a documentary on cyber crime and they explained how there are some sites out there that have almost no security at all, and that hackers would steal names and passwords there, and then go try the same name and password on more secure sites. Some people just use the same info for every website.

Good point and a real danger. That's why I distinguish between what I described as "critical" sites that actually have control over my money or other things of importance to me and everything else. It is important to use strong passwords at critical sites and to protect those passwords. It is also important not to use those crtical passwords routinely.

[Alan]

Quote:

Originally Posted by Leonidas I always thought that was the case until I watched a documentary on cyber crime and they explained how there are some sites out there that have almost no security at all, and that hackers would steal names and passwords there, and then go try the same name and password on more secure sites. Some people just use the same info for every website.

Absolutely correct which is why I have different passwords on my financial sites. If a company can tell you what your password or PIN is then they have an unencrypted password file, or their administrators / helpdesk folk have the encryption key to the password file. A helpdesk should be able to set a new password on your account, not tell you what your current password is.

[Rustward]

Quote:

Originally Posted by Alan A helpdesk should be able to set a new password on your account, not tell you what your current password is.

Absolutely right. If a helpdesk can tell you your password or PIN you should probably not be doing business with them.

Had to reset my (online bank) password yesterday. They require you to speak with an agent after you enter your new password to authenticate you. The first thing the agent told me is "do not tell me your old password or your new password.".

Then he proceeded to ask me 5 or 6 questions that only the account holder would know -- where did you open the account, how do you move money in and out, SSN, a couple of secret question/answer things I entered when opening the account.

Now, the phone call was setup by some kind of third party thingy that you click on in their web site. It called me and told me it was connecting me with an agent. Then it occurred to me that I could have been phished. I explained to the agent that I just gave out a lot of my account information to someone I was not absolutely certain was an (insert name of online bank) agent. So I asked him to tell me the account balance and the last two transactions. He passed my little authentication test.

Sorry for drifting a little.