• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

How often do you change passwords?

bigred

Penultimate Amazing
bigred
Joined
Jan 19, 2005
Messages
22,639
Location
USA
Just curious. I don't change them for things like message boards at all really, but try to remember to change the key ones like bank etc every so often.
 
Only when a clueless provider forces me to, either due to outdated standards or because they were breached. I was using a home-grown encrypted password manager before they became a thing. I've always used strong passwords and never, ever used a password on more than one site. The idea that passwords should be changed regularly is a myth: NIST acknowledged back in 2017 that regular changes do not improve security, and formally removed that requirement last year.
 
I think they removed the requirement to change passwords many years ago.
Everyone needs some sort of password manager. However passwords need to be removed. Using an email would be better. Until your email system gets hacked.
 
rjh01 said:
I think they removed the requirement to change passwords many years ago.
Everyone needs some sort of password manager. However passwords need to be removed. Using an email would be better. Until your email system gets hacked.
Click to expand...


NIST Special Publication 800-63B

NIST Special Publication 800-63B
pages.nist.gov
5 and 6
5 Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
Click to expand...

6Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.
Click to expand...
 
Interesting....looks like I'm behind the times, thx (although truth be told, I didn't change them often).

PS: ChatGPT says change every 3-6 months. AI strikes again
 
rjh01 said:
I think they removed the requirement to change passwords many years ago.
Everyone needs some sort of password manager. However passwords need to be removed. Using an email would be better. Until your email system gets hacked.
Click to expand...
I once had a provider, not that long ago, send me an unencrypted verification email with "Your Login:xxxxxxx Your New Password:yyyyyy". Note: it wasn't a temporary password -- it was the one I had just created and changed it to on the site itself.
 
Meaning they actually showed your login and password?? Yikes
 
alfaniner said:
I once had a provider, not that long ago, send me an unencrypted verification email with "Your Login:xxxxxxx Your New Password:yyyyyy". Note: it wasn't a temporary password -- it was the one I had just created and changed it to on the site itself.
Click to expand...
The only thing that should know your password is you or your password manager. It should not be stored by the other end. They should put the password though a complex one way encryption formula and store the result.
 
jimbob said:

NIST Special Publication 800-63B

NIST Special Publication 800-63B
pages.nist.gov
5 and 6
Click to expand...
It does not say when the quoted paragraphs were inserted into the guidelines.

Edit. https://web.archive.org/web/2022121....nist.gov/800-63-4/sp800-63b.html#passwordver This is from 18 December 2022
Verifiers SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHALL NOT require users to periodically change memorized secrets. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Click to expand...
 
Last edited:
I never change my passwords unless I'm given a reason to and that isn't very often. There is a website that'll tell you about your email being in hacks though. It's haveibeenpwned or something similar. I used to check but I use 2 form authentication on everything that matters. Having my password is pretty useless nowadays. I can't think of anything worth while that someone could access without either having my phone, google auth, authy, or microsoft authenticator codes.
 
I still get some funny looks when I type in a PIN.

Everyone assumes a four digit PIN, because that's the least number of digits you can have.

Whereas I use the maximum number of digits. (Which varies by card, or application.)

:)

So a vendor hears a long string of beeps and thinks: "That's not gonna work."

And then it does.
 
I used to log into one system, that was so nasty, you had to include at least two characters that weren't on the keyboard.

(i.e. you'd have to 'compose' them by using key combinations, or the Alt + (hex number) method.)
 
novaphile said:
I used to log into one system, that was so nasty, you had to include at least two characters that weren't on the keyboard.

(i.e. you'd have to 'compose' them by using key combinations, or the Alt + (hex number) method.)
Click to expand...
The best password rules should say the password must be long and not certain combinations of letters. Any other rule will weaken the passwords.

Here is a maths question for you all. If I use a password that is a random 10 characters using any valid character on the keyboard, how much longer must your password be if you only want to use lower case letters (a-z) and it to be even stronger than mine? The answer is not many.
 
rjh01 said:
The best password rules should say the password must be long and not certain combinations of letters. Any other rule will weaken the passwords.

Here is a maths question for you all. If I use a password that is a random 10 characters using any valid character on the keyboard, how much longer must your password be if you only want to use lower case letters (a-z) and it to be even stronger than mine? The answer is not many.
Click to expand...
Blacklists for small sections of obvious passwords are still best practice, and indeed mandated in the NIST documentation I linked to.

But.
Excessively large blocklists are of little incremental security benefit because the blocklist is used to defend against online attacks, which are already limited by the throttling requirements described in Sec. 3.2.2.
 
My workplace requires us to change passwords every 90 days. That wouldn't be a problem in itself, but unfortunately the various applications and systems that are supposed to sync up with password changes...don't. Sometimes I go weeks with two passwords and having to try both with everything.
 
TragicMonkey said:
My workplace requires us to change passwords every 90 days. That wouldn't be a problem in itself, but unfortunately the various applications and systems that are supposed to sync up with password changes...don't. Sometimes I go weeks with two passwords and having to try both with everything.
Click to expand...
Likewise, but at least I can force password changes to keep mine aligned
 
TragicMonkey said:
My workplace requires us to change passwords every 90 days. That wouldn't be a problem in itself, but unfortunately the various applications and systems that are supposed to sync up with password changes...don't. Sometimes I go weeks with two passwords and having to try both with everything.
Click to expand...
Do we work at the same company?
 
Changing passwords regularly just makes sense. You don't often know when your system gets breached till much later, and your passwords have been 'out there' for a while already. A regular changing makes the breach obsolete unless they acted fast on you personally and took over your account.

I have an elderly/un-computer savvy customer that uses a yahoo account to contact me. She has some kind of password like 'password', and her account is regularly nabbed and some ridiculous spam sent out on mass mailings. She then changes her password to 'pa$$word' and we go through the same thing again in a few months. She doesn't have her banking online or they would have likely cleaned her out years ago,
 
Thermal said:
Changing passwords regularly just makes sense. You don't often know when your system gets breached till much later, and your passwords have been 'out there' for a while already. A regular changing makes the breach obsolete unless they acted fast on you personally and took over your account.

I have an elderly/un-computer savvy customer that uses a yahoo account to contact me. She has some kind of password like 'password', and her account is regularly nabbed and some ridiculous spam sent out on mass mailings. She then changes her password to 'pa$$word' and we go through the same thing again in a few months. She doesn't have her banking online or they would have likely cleaned her out years ago,
Click to expand...

As an I.T. guy, I respectfully disagree. In your description it makes sense, but the peripherals of repeatedly changing your password is what causes problems.

Most passwords are stolen because the user outright gives them to the person who is doing the harvesting vs. a hacker acquiring an encrypted database from an intrusion would take months, years, maybe longer to break through that encryption, depending on how it was encrypted. Asking your computer-stupid customer for their password because their "nephew is in jail" takes about 10 minutes and allows one to avoid thousands and thousands of dollars required for the processing power to break encryption on a database. It's always easier to hack the person rather than the tech.

Force people to constantly change their password generally results in people writing their new passwords down, putting them in a notepad style app on their phone, or just getting frustrated at having to change them so much that they make them as easy as possible.

The best way to protect yourself is get a good, secure password, use a solid password vault (like bitwarden), and make sure 2FA is turned on at every. single. opportunity. 2FA will protect you millions and millions times more than changing your password. I don't care what you change it to.
 
Last edited:
plague311 said:
As an I.T. guy, I respectfully disagree. In your description it makes sense, but the peripherals of repeatedly changing your password is what causes problems.

Most passwords are stolen because the user outright gives them to the person who is doing the harvesting vs. a hacker acquiring an encrypted database from an intrusion would take months, years, maybe longer to break through that encryption, depending on how it was encrypted. Asking your computer-stupid customer for their password because their "nephew is in jail" takes about 10 minutes and allows one to avoid thousands and thousands of dollars required for the processing power to break encryption on a database. It's always easier to hack the person rather than the tech.

Force people to constantly change their password generally results in people writing their new passwords down, putting them in a notepad style app on their phone, or just getting frustrated at having to change them so much that they make them as easy as possible.

The best way to protect yourself is get a good, secure password, use a solid password vault (like bitwarden), and make sure 2FA is turned on at every. single. opportunity. 2FA will protect you millions and millions times more than changing your password. I don't care what you change it to.
Click to expand...
Where I had my first job was a classic case in point. Complex rules for composition, no number in the same location as the previous x passwords. No letter being the same as the previous x passwords. Alphanumeric and changing every 3 months.

Also one account in the drawing office and multiple people needing access.

Yes, you looked for the post it note under George's phone.
 
plague311 said:
As an I.T. guy, I respectfully disagree. In your description it makes sense, but the peripherals of repeatedly changing your password is what causes problems.

Most passwords are stolen because the user outright gives them to the person who is doing the harvesting vs. a hacker acquiring an encrypted database from an intrusion would take months, years, maybe longer to break through that encryption, depending on how it was encrypted. Asking your computer-stupid customer for their password because their "nephew is in jail" takes about 10 minutes and allows one to avoid thousands and thousands of dollars required for the processing power to break encryption on a database. It's always easier to hack the person rather than the tech.

Force people to constantly change their password generally results in people writing their new passwords down, putting them in a notepad style app on their phone, or just getting frustrated at having to change them so much that they make them as easy as possible.

The best way to protect yourself is get a good, secure password, use a solid password vault (like bitwarden), and make sure 2FA is turned on at every. single. opportunity. 2FA will protect you millions and millions times more than changing your password. I don't care what you change it to.
Click to expand...
Good point about two step verification. I use that for banking and all, but for mundanities like email and Amazon one-click buying, I'm overly exposed.

Email in particular I should be more on guard about. Anytime you click on 'forgot password', a new one is straight to email and you're in.
 
TragicMonkey said:
My workplace requires us to change passwords every 90 days. That wouldn't be a problem in itself, but unfortunately the various applications and systems that are supposed to sync up with password changes...don't. Sometimes I go weeks with two passwords and having to try both with everything.
Click to expand...

May I call your attention to software called "Secret Server" and "Password Manager".

My former employer invested in that, and it automatically managed my passwords for me, across a plethora of servers, environments, domains, etc.

(Something like 100 passwords, many with different rulesets and frequency of update because of various server operating systems.)

The only password I needed, was a single domain password, that allowed me to log in to Secret Server.

Secret Server | Powerful PAM in the Cloud or On-Premises

Protect privileged accounts with Delinea Secret Server. Easy-to-use, full-featured privileged access management. Cloud and on-premises.
delinea.com delinea.com
 
I'm sure I've shared this before but it keeps happening: I'll set up a good password for some account of my mom's, I'll write it down in her little book of passwords I got her, then even when she's got the book in front of her she'll enter it wrong. I tried using conventions: always starting with a three digit number, always ending in an exclamation mark...but then she'd assume the exclamation mark was just written down for emphasis and not part of the password itself. And she cannot grasp that capitalization always matters in passwords and never matters in email addresses. And more often than not she has multiple scraps of paper and index cards with passwords as well as the little book, and none of them dated so you don't know which is the current one. Or she'll write the password down absolutely correctly...but not what it's the password to.

It's easier to reset her password than to divine what the current one is. Which means fun with her phone for authentication....her phone's passcode isn't her anniversary, but the date she met my father. Great password there because it's something that's written down nowhere on earth. Information only existing in her own head. I have no idea when she met my dad, they dated for at least a couple of years before they got married!
 
TragicMonkey said:
I'm sure I've shared this before but it keeps happening: I'll set up a good password for some account of my mom's, I'll write it down in her little book of passwords I got her, then even when she's got the book in front of her she'll enter it wrong. I tried using conventions: always starting with a three digit number, always ending in an exclamation mark...but then she'd assume the exclamation mark was just written down for emphasis and not part of the password itself. And she cannot grasp that capitalization always matters in passwords and never matters in email addresses. And more often than not she has multiple scraps of paper and index cards with passwords as well as the little book, and none of them dated so you don't know which is the current one. Or she'll write the password down absolutely correctly...but not what it's the password to.

It's easier to reset her password than to divine what the current one is. Which means fun with her phone for authentication....her phone's passcode isn't her anniversary, but the date she met my father. Great password there because it's something that's written down nowhere on earth. Information only existing in her own head. I have no idea when she met my dad, they dated for at least a couple of years before they got married!
Click to expand...
Could you recommend a password manager like Dashlane to her? Then in theory she only needs to remember one password.
 
Safe-Keeper said:
Pretty rarely, I figure that with all the keys on my keyboard, 1234 must be pretty hard to guess.
Click to expand...
Were it that simple anymore. To create an account to log in and, say, pay my water bill, there is a cryptic chain of requirements that would make Ethan Hunt furrow his brow. In addition to the usual stuff (at least one capital letter, one specialty character, one number, etc), you can't start or end with a number, must incorporate three unique hieroglyphics, and every three months the bastards suddenly demand you make a new password, using none of the characters mankind has ever used before since we crawled out of the oceans.
 
Safe-Keeper said:
Could you recommend a password manager like Dashlane to her? Then in theory she only needs to remember one password.
Click to expand...
I do know of one guy who apparently got overseen entering that password manager password (or somehow hacked), because someone got ahold of it and wreaked holy hell.
 
Thermal said:
Since you brought this to my attention, I've been adding my cel to accounts that I had been neglecting for quicker access. Good advice man, thanks. We all need a prompt for doing the smart thing sometimes.
Click to expand...

Absolutely, any time. One reminder too though is whenever you get a new phone to make sure you transfer your authenticator over because it sucks donkey wang to set them all up again!
 
plague311 said:
Absolutely, any time. One reminder too though is whenever you get a new phone to make sure you transfer your authenticator over because it sucks donkey wang to set them all up again!
Click to expand...
Oooooo, thanks for that. Didn't even occur to me. I run through phones a lot (breaking on jobs) and I do recall the endless re-establishing. Didn't even realize I could transfer the authenticator
 
I constantly switch my passwords back and forth between "password" and "12345." There's no way the hackers could ever keep up.
 
You must log in or register to reply here.

Back
Top Bottom