How often do you change your password?
- Thread starter Teg
- Start date
Frequent password changes is not a requirement for good security, at least in my opinion.
Reason (Rather technical):
Almost all websites will impose limits on the rate at which someone can guess your password, making it essentially impossible for someone to go through all the possibilities, unless your password is an extremely common one (such as potato). If an attacker gets ahold of the database, they can guess the password without any limitations, but if the attacker has the database, they can probably get into your account by bypassing the site's authentication anyways, so it doesn't really matter. Plus, if the site uses good encryption (Blowfish or PBKDF2 with a high iteration count), then it would take the attackers a very long time to guess the password anyway. If you add in a good Intrusion Detection System, then the site will be able to notify members whenever their database gets hacked, meaning that everyone has an opportunity to change their password before it could possibly be decrypted.
The only real benefit behind a forced password change policy is that is effectively prevents employees from using the same password as on other sites, because after a few changes, all of the employee's passwords that they use on other sites will be used up and he/she will have to come up with a new one. This may be a good idea for a company, but not really for anyone else in my opinion.
Generally speaking: if you use a password manager with two factor authentication required to log into the password manager, you're golden.
Reason (Rather technical):
Almost all websites will impose limits on the rate at which someone can guess your password, making it essentially impossible for someone to go through all the possibilities, unless your password is an extremely common one (such as potato). If an attacker gets ahold of the database, they can guess the password without any limitations, but if the attacker has the database, they can probably get into your account by bypassing the site's authentication anyways, so it doesn't really matter. Plus, if the site uses good encryption (Blowfish or PBKDF2 with a high iteration count), then it would take the attackers a very long time to guess the password anyway. If you add in a good Intrusion Detection System, then the site will be able to notify members whenever their database gets hacked, meaning that everyone has an opportunity to change their password before it could possibly be decrypted.
The only real benefit behind a forced password change policy is that is effectively prevents employees from using the same password as on other sites, because after a few changes, all of the employee's passwords that they use on other sites will be used up and he/she will have to come up with a new one. This may be a good idea for a company, but not really for anyone else in my opinion.
Generally speaking: if you use a password manager with two factor authentication required to log into the password manager, you're golden.
I often use complex passwords on my accounts (containing symbols/numbers for example), so I rarely change them. It just causes confusion, unless you're good at remembering. I think I'll manage fine, and it'll be good enough to keep the hackers at bay. 😛
nathanielrsuchy
Reputable
I generally change my passwords every 90 days or so. My passwords are complex to the point that I need a password manager to remember them all. I also use 2-factor authentication when available. That being said if I believe that an account has been compromised I also change it's password.
Steve Jobs
Up-and-Coming Sensation
Not as often as I should. But, my password is very secure that I use. 🙂
I always use complex passwords, so I don't change them as often as I should. When there is a threat on any website I am on, I go and change ALL of my passwords just to be safe, though.
Affiliates
