Changed your passwords lately?

braumeister

Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Site Team
Joined
Feb 20, 2010
Messages
26,980
Location
Flyover country
We all get reminded to change our passwords frequently, and some of us w*rked in places where a change was required every XX days no matter what. At the same time, most of us thought very little of the practice, and now we can say that it's officially a bad idea.

The National Institute of Standards and Technology (NIST) has now come out saying those enforced frequent changes are definitely a bad idea and has issued new guidance saying organizations shouldn't do it.

Similarly, the UK's National Cyber Security Centre (NCSC) said in a report that "Regular password changing harms rather than improves security.... The user is likely to choose new passwords that are only minor variations of the old."

There are a number of ways to improve online security (passkeys, 2FA, password managers, etc.) but routinely changing your password isn't one of them.
 
Seems the number of companies IT systems that have been hacked/compromised/breached in the last few years has been rising exponentially. Probably a good idea to get in the routine of changing your passwords if you can't use 2FA. (assuming you are creating strong PW's) Maybe not the greatest thing but it's one of the easy things you can do.
 
Last edited:
The NIST recommendation is great. I suspected that the hospital IT department knew the changes were BS but just continued because it was easier than explaining to management.
 
I have not changed any passwords for the past 12 years when I started to use a password safe. Make your userids and passwords long using all the keyboard characters allowed creating random strings of characters. Don't use words in dictionaries, don't use anything associated with your cuz it seems everything is public knowledge today. Security questions answers should be nonsense too, either similar to userids/passwords or several words that mean nothing re the question asked.
 
(NCSC) said in a report that "Regular password changing harms rather than improves security.... The user is likely to choose new passwords that are only minor variations of the old."
That's what I used to do. I was really into duck hunting and had a calendar on my desk that had a different duck each month. Guess what I used for the password? That duck of the month, along with the day of the month, with the numbers transposed and the first 3 letters of that day. So, for example, March 18th I change my password and it's a Pintail duck on the calendar, the password would be Pintail81Mon. If I was required to use a symbol, one of those characters across the top of the keyboard, I'd corrolate the month by number to the keyboard character by number. In this case, March is the 3rd month of the year and the symbol on the keyboard for the number 3 is #. I'd add the character after the duck name, so now the password is Pintail#81Mon. Easypeasy, I could always decipher my own password if I forgot.
 
Not sure a password needs to be all that complicated. I think I read at one time that 8 characters using numbers, letters (with some caps) and a symbol or two and it’s very strong. The thing is, does anyone actually sit there and try to guess passwords? Don’t most applications, especially in the financial realm cut you off after a few tries? It seems like the most likely way they gain a password is via a compromised/hacked situation. I would think the biggest vulnerability beyond that is using the same password in more than one location.
 
The thing is, does anyone actually sit there and try to guess passwords?
Mostly no. But there are apps for that FYI. Do you really think professional hackers just sit around and try to randomly guess passwords?

Don’t most applications, especially in the financial realm cut you off after a few tries?
You would think, but no. Some do, but far from most.
 
Mostly no. But there are apps for that FYI. Do you really think professional hackers just sit around and try to randomly guess passwords?


You would think, but no. Some do, but far from most.
No, I don’t think anyone is sitting around trying to guess passwords, that was my point. I don’t even think an application does that. As I said, a reasonably strong password has little to no chance of being guess, broken, whatever you want to call it.

What they are doing is everything possible to hack into systems that store passwords and get your password that way. Point being, consistent with the thread topic, is that changing a password is not very effective unless the system has been compromised. Further, ensuring that same user name/email address and password combination is not used anywhere else is a very important safeguard.
 
One "standard" practice that annoys me that wasn't addressed in the new standards is paste protected password fields. Here I am using a password vault and a 14 character randomly generated password and the make me look it up and laboriously type it in. Pseudo-security.
 
One "standard" practice that annoys me that wasn't addressed in the new standards is paste protected password fields. Here I am using a password vault and a 14 character randomly generated password and the make me look it up and laboriously type it in. Pseudo-security.
Yes this used to bug me too.

Depending upon the site, you can change the html code as it's on your computer so that you can paste in.

Treasury had that feature, but a snippet of code saved as reload of the web page would make it paste able.
 
No, I don’t think anyone is sitting around trying to guess passwords, that was my point. I don’t even think an application does that.
Think again. They've been around for decades. Now how effective they are I can't say, but for systems which allow unlimited password attempts, I'd rather not find out...
 
One interesting article that analyzed billions of passwords that were exposed in hacks: https://cybernews.com/best-password-managers/most-common-passwords/

Here are the most commonly used passwords & phrases used in passwords by people around the world – collected by the Cybernews Investigation Team.

The top 10 most common passwords list in 2024:
123456
123456789
qwerty
password
12345
qwerty123
1q2w3e
12345678
111111
1234567890

In total, we were able to analyze 15,212,645,925 passwords, of which 2,217,015,490 were unique. We discovered some interesting things about the way that people create passwords: their favorite sports teams, cities, food, and even curse words. We could even deduce the probable age of the person by looking at which year they use in their password.

Hackers may not need to work too hard to find passwords, enough people are still making mistakes that make it relatively easy :).
 
Something I noticed lately is that when Windows 11 updates, it somehow wipes out the knowledge that my particular laptop once successfully logged onto sites requiring password/user name. When this happens, that site requires confirmation with a code sent to my phone or email. The same would happen to anyone who gained access to my username and password since their computer would have never gained access prior to that instance and I would get an email or message request with a number to enter or a PIN to supply in order to complete the login. I'd say it's sort of a forced 2nd verification until the computer itself has been vetted. With that in place, it is impossible to hack anyone's password/user pair since they likely wouldn't have that 2nd verification availability.
 
Changing passwords is not going to make you less secure. Always use a generated random password (letters, numbers, specials) of max allowed length, a 24 character minimum.
 
24 chars is excessive, but if it makes one feel more secure, have at it. Better to err to that side then less so.
 
24 chars is excessive, but if it makes one feel more secure, have at it. Better to err to that side then less so.
24 character passwords are easy to use, if you are using a password manager. But the one time you have to type that password in on a TV screen using the TV remote control, OMG! :ROFLMAO: (I realize a lot of TV apps give you other ways to authenticate, but I do remember having to 'type' in passwords for some things).
 
A password doesn't have to be all that long, but complexity is your friend.

crack.jpg
 
A password doesn't have to be all that long, but complexity is your friend.
I wonder what that chart looked like 10 years ago. I’d guess what takes 4 seconds today took 5/or 10 years a decade ago.
 
I suspect you're right. I'll bet that info security folks have nightmares about this when considering the potential of quantum computing.
 
I suspect you're right. I'll bet that info security folks have nightmares about this when considering the potential of quantum computing.
I wonder if an AI engine can be trained to guess passwords.
 
Not sure a password needs to be all that complicated. I think I read at one time that 8 characters using numbers, letters (with some caps) and a symbol or two and it’s very strong. The thing is, does anyone actually sit there and try to guess passwords? Don’t most applications, especially in the financial realm cut you off after a few tries? It seems like the most likely way they gain a password is via a compromised/hacked situation. I would think the biggest vulnerability beyond that is using the same password in more than one location.
8 characters is like leaving the house key under the door mat. It isn't that someone will bang away at your account at the website, it is when they get a dump of passwords and run known passwords or start sequentially going through possible passwords offline using GPUs guessing millions if not billions of guesses per second! When they get a match they have it. Using multiple GPUs just speeds up the process. For financial sites it can be worth the trouble. Longer is better, using random characters is better, never use words in any dictionary of any language, the harder you make it the safer you are and that is why a password safe is a good idea because typing it is a PITA and remembering it is impossible. I have dozens of userids with their passwords and security question answers in a safe and many password safes will autofill the userid and password so it is easy for you vs typing it out.
 
A password doesn't have to be all that long, but complexity is your friend.

View attachment 52547
I'm curious where that came from? Anyway, I think this is why double-authentication will eventually become the norm. Like you can guess my password to my bank all day long, but if you don't have my phone to get that code number, you'd need a literally one in a million lucky guess (you get three tries) to get in.
 
How do most members here keep their many passwords safe from hackers or the internet?
Do you keep a notebook or jump drive, etc.?
 
Back
Top Bottom