Does changing password really help any more? - Password security Part I

It has been going around for a while now that regularly changing your password might not actually improve security but could actually harm it. CESG has been recommending for the past year to not force a regular password expiry.

Think of it like this: people usually complain when they are asked to come up with a secure password, one that has letters, numbers and special characters. They complain because they need to remember it!

The real challenge is not coming up with one, e.g. 0utovt!m3, but actually remembering it and to only use it for one of those accounts that we are forced to use daily at work, because you do know you are not supposed to use the same password in multiple places, right? And you should definitely not use your home password for one of your work accounts.

Whenever people are asked to create their password they usually opt for something that it easy to remember. So it follows the same logic that when they need to change the said password regularly, they either make slight adjustment to it or use the same pattern. This, in itself, is a risk. Because if your initial password was stolen or decrypted, your next one will be an easy target as well.

But let's say that that particular programme/software does not allow you to use the slightly adjusted new password because it is programmed in such a way as to not accept the similar string of characters, e.g.: initial password: Password! And the new password: Passw0rd!. And so, forced by the circumstances, you could come up with the more complicated example from above. But we can all agree that it's not as easy to remember as the other one.

So what are we tempted to do in this case? We write it down (at least once). And what else do we do? We don't really keep that bit of sensitive information in a safe place because we tend to think: 'Why would anyone want to know my password? It's not like I have the secrets of the known universe on my computer.' Sometimes, we might even write it on a post-it and stick it to our monitors, putting a little bit of scotch tape on it to make sure it sticks. Because, let's face it, it’s easier to just lower your eyes and then type in what's written there. With time, you will memorize it but by then it could be too late.

So, instead of asking your team every 1, 3 or 6 months to create/change their passwords (which seem strong just because they meet the basic complexity criteria but are actually weak - like Passw0rd!) you can teach them that a lengthier one (e.g. 17 characters instead of the standard 8 or 9) is actually safer.

Also tell them they can use space in their passwords.

The sentence: The fox jumped over the fence. is a perfectly secure password. And then tell them they only have to change their password once a year, or not at all and you'll see some happy faces :)