by Paul Ducklin Until a few years ago, received wisdom for passwords included advice to change them all on a regular and frequent basis, just becaus
Until a few years ago, received wisdom for passwords included advice to change them all on a regular and frequent basis, just because you could.
The laudable idea was that this reduced the length of time you’d be exposed if your password were breached, and you’d therefore “obviously” be safer as a reult.
Ironically, this became known in the jargon as password rotation, which is exactly what it turned into, where users simply cycled through a list of passwords they’d used before.
Most apps checked that your new password wasn’t the same as the old one, but few went back very far, and users quickly learned how few different passwords they could get away with for each app or service.
Users also learned how tiny those differences could be and still count as changes rather than merely minor adjustments.
There was another serious problem with password rotation on a company network, namely that IT departments often imposed forced changes in a very predictable way, such as on the first Monday of each month.
And anything that introduces predictability into a process that’s supposed to be awash in randomness is asking for trouble.
Firstly, you’re as good as encouraging users to make changes in an algorithmic way to suite a doctrine rather than to address a genuine need – such as adding the digits of the current month to a core password that always stays the same.
Secondly, you’re crowding the vast majority of each month’s worth of “Oops, I forgot my password” helpdesk calls into a short and predictable period.
That means you’re giving social engineers – cybercrooks who are masters, basically speaking, at talking other people into doing insecure things – a believable pretext for calling up to provoke bogus password resets.
Recorded back in 2012, this podcast is still relevant in 2020.
Are password resets needed at all?
If you’ve listened to the podcast above, you’ll already know that we’re not suggesting that password changes are an irrelevancy.
By all means, change your passwords whenever you like if you want to – and if you use a password manager, it’s easy to do just that.
But the only time you should feel compelled to change a password is when there is a clear and obvious reason to do so, and that’s if you think – or, worse still, know – that it might have been compromised.
Fortunately, in many or most recent data breaches (though, sadly, not all) where authentication data gets stolen, the crooks don’t end up with your actual password along with your login name.
Passwords usually are – or certainly should be! – stored in a hashed form, where the hash can be used to verify that a supplied password is correct, but can’t be wrangled backwards to reveal what the password was.
As a result, most password exposures that arise from data breaches require that the crooks first crack your password by trying a long list of guesses until they find one that matches your password hash.
Simply put, the longer and more complex your password, the longer it will take for the crooks to crack it.
They try the most obvious passwords first, so
123456 will probably be the very first one they try for each user;
Pa55word! might be the 100,000th on their list; but they are unlikely to get round to trying
VFRHFMNOLR5LAIVGDOW5UZRT for days, or months, or even years.
In other words, if a service provider notifies you that your password hash was acquired by crooks, you’ll nevertheless remain safe if you change your password before the crooks get round to cracking it.
Even if the breach happened weeks or months ago, you’ve probably still in a good position to beat the crooks to it, assuming you chose wisely in the first place – and if you use a password manager, it’s easy to do just that.
How quick are we?
So, if we’re not changing our passwords every month “just in case” any more, how quick are we at changing them when there’s a clear and present reason?
Sadly, a paper that came out recently from Carnegie Mellon University in the US suggests that a worrying number of us aren’t quick at all.
The paper, entitled (How) Do People Change Their Passwords After a Breach?, says that the researchers:
…found that very few of their participants in an online study reported intentions to change passwords after being notified that their passwordswere compromised or reused, including because they believedin the “invincibility” of their passwords.
Admittedly, the significance of the findings in the paper is limited somewhat by the age of the data (it was collected in 2017 and 2018), by the small sample size of 63 breach victims from 249 participants, and by the fact that only users putting in passwords via Chrome or Firefox were monitored.
Nevertheless, the study found that 42 of the 63 participants (two-thirds) who were notified about a data breach didn’t change any of their passwords at all.
How good are we?
Disappointingly, even for the one-third who did change the relevant password, most took more than three months to get around to it, and many of those replaced their old passwords with weaker ones.
Even more intriguingly – though perhaps, with hindsight, not surprisingly – the researchers claim that those who did change passwords tended, on average, to pick a replacement that was more similar than before (measured by substring similarities) to all their other passwords.
In other words, if you aren’t using a password manager to generate truly random passwords for you, the research invites you to infer that your password choices will tend to influence each other, and thus that your passwords will become less varied over time.
That might not benefit the crooks very much, but it doesn’t exactly do you any entropy favours, either. (Entropy is the jargon word for how “disordered” your password is – where, in general, higher disorder means harder to guess.)
In short, humans really aren’t good at randomness – but then, they aren’t very good at reacting to data breach advice either, it seems.
What to do?
- Don’t delay, do it today. If there’s a valid reason to change one of your passwords, do it right away and keep ahead of the crooks.
- Don’t take shortcuts. Crooks will spot any tricks or patterns you use in order to make your passwords different yet similar enough to remember easily. If you have
u64b2vqtn5-fbfor Facebook and
u64b2vqtn5-twfor Twitter, the crooks will figure out the rest of your passwords with ease.
- Don’t think you’re invincible. The crooks probably won’t crack your password if it’s
6GHENBIZMX3TTUHJTPQZTEKM, but why take the risk that they might?
- Don’t use 2FA as an excuse. Don’t use 2FA as an excuse to choose a trivial password or to use the same one everywhere – it’s meant to be a second factor, not just a different sort of single factor.