• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

How often do you change passwords?

bigred

Penultimate Amazing
bigred
Joined
Jan 19, 2005
Messages
22,649
Location
USA
Just curious. I don't change them for things like message boards at all really, but try to remember to change the key ones like bank etc every so often.
 
Only when a clueless provider forces me to, either due to outdated standards or because they were breached. I was using a home-grown encrypted password manager before they became a thing. I've always used strong passwords and never, ever used a password on more than one site. The idea that passwords should be changed regularly is a myth: NIST acknowledged back in 2017 that regular changes do not improve security, and formally removed that requirement last year.
 
I think they removed the requirement to change passwords many years ago.
Everyone needs some sort of password manager. However passwords need to be removed. Using an email would be better. Until your email system gets hacked.
 
rjh01 said:
I think they removed the requirement to change passwords many years ago.
Everyone needs some sort of password manager. However passwords need to be removed. Using an email would be better. Until your email system gets hacked.
Click to expand...


NIST Special Publication 800-63B

NIST Special Publication 800-63B
pages.nist.gov
5 and 6
5 Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
Click to expand...

6Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.
Click to expand...
 
Interesting....looks like I'm behind the times, thx (although truth be told, I didn't change them often).

PS: ChatGPT says change every 3-6 months. AI strikes again
 
rjh01 said:
I think they removed the requirement to change passwords many years ago.
Everyone needs some sort of password manager. However passwords need to be removed. Using an email would be better. Until your email system gets hacked.
Click to expand...
I once had a provider, not that long ago, send me an unencrypted verification email with "Your Login:xxxxxxx Your New Password:yyyyyy". Note: it wasn't a temporary password -- it was the one I had just created and changed it to on the site itself.
 
Meaning they actually showed your login and password?? Yikes
 
alfaniner said:
I once had a provider, not that long ago, send me an unencrypted verification email with "Your Login:xxxxxxx Your New Password:yyyyyy". Note: it wasn't a temporary password -- it was the one I had just created and changed it to on the site itself.
Click to expand...
The only thing that should know your password is you or your password manager. It should not be stored by the other end. They should put the password though a complex one way encryption formula and store the result.
 
jimbob said:

NIST Special Publication 800-63B

NIST Special Publication 800-63B
pages.nist.gov
5 and 6
Click to expand...
It does not say when the quoted paragraphs were inserted into the guidelines.

Edit. https://web.archive.org/web/2022121....nist.gov/800-63-4/sp800-63b.html#passwordver This is from 18 December 2022
Verifiers SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHALL NOT require users to periodically change memorized secrets. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Click to expand...
 
Last edited:
I never change my passwords unless I'm given a reason to and that isn't very often. There is a website that'll tell you about your email being in hacks though. It's haveibeenpwned or something similar. I used to check but I use 2 form authentication on everything that matters. Having my password is pretty useless nowadays. I can't think of anything worth while that someone could access without either having my phone, google auth, authy, or microsoft authenticator codes.
 
I still get some funny looks when I type in a PIN.

Everyone assumes a four digit PIN, because that's the least number of digits you can have.

Whereas I use the maximum number of digits. (Which varies by card, or application.)

:)

So a vendor hears a long string of beeps and thinks: "That's not gonna work."

And then it does.
 
I used to log into one system, that was so nasty, you had to include at least two characters that weren't on the keyboard.

(i.e. you'd have to 'compose' them by using key combinations, or the Alt + (hex number) method.)
 
novaphile said:
I used to log into one system, that was so nasty, you had to include at least two characters that weren't on the keyboard.

(i.e. you'd have to 'compose' them by using key combinations, or the Alt + (hex number) method.)
Click to expand...
The best password rules should say the password must be long and not certain combinations of letters. Any other rule will weaken the passwords.

Here is a maths question for you all. If I use a password that is a random 10 characters using any valid character on the keyboard, how much longer must your password be if you only want to use lower case letters (a-z) and it to be even stronger than mine? The answer is not many.
 
rjh01 said:
The best password rules should say the password must be long and not certain combinations of letters. Any other rule will weaken the passwords.

Here is a maths question for you all. If I use a password that is a random 10 characters using any valid character on the keyboard, how much longer must your password be if you only want to use lower case letters (a-z) and it to be even stronger than mine? The answer is not many.
Click to expand...
Blacklists for small sections of obvious passwords are still best practice, and indeed mandated in the NIST documentation I linked to.

But.
Excessively large blocklists are of little incremental security benefit because the blocklist is used to defend against online attacks, which are already limited by the throttling requirements described in Sec. 3.2.2.
 
My workplace requires us to change passwords every 90 days. That wouldn't be a problem in itself, but unfortunately the various applications and systems that are supposed to sync up with password changes...don't. Sometimes I go weeks with two passwords and having to try both with everything.
 
TragicMonkey said:
My workplace requires us to change passwords every 90 days. That wouldn't be a problem in itself, but unfortunately the various applications and systems that are supposed to sync up with password changes...don't. Sometimes I go weeks with two passwords and having to try both with everything.
Click to expand...
Likewise, but at least I can force password changes to keep mine aligned
 
You must log in or register to reply here.

Similar threads

bigred
How often do you print anything (for personal reasons)?
2 3 4 5 6
Replies
104
Views
1K
arthwollipot
arthwollipot
Babbylonian
  • Poll Poll
How often do you call 911 or similar emergency number?
2 3 4
Replies
78
Views
5K
P.J. Denyer
P.J. Denyer
Allen773
How do Truthers explain the cooperation/coordination needed within the US govt...
15 16 17 18 19
Replies
377
Views
75K
Leftus
L
Cainkane1
how do you change your IP number?
2
Replies
21
Views
2K
rjh01
rjh01
Meadmaker
What do you want your next government to do?
2
Replies
33
Views
2K
Darth Rotor
Darth Rotor

Back
Top Bottom