embedded software boot camp

Password Protocol

Thursday, July 12th, 2012 by Mike Ficco

It seems there was recently a security breach at Yahoo that exposed more than 400,000 login credentials.  When this is reported, it seems to always be accompanied by advice on making high quality passwords.

Well, I have a password question that challenges conventional password wisdom.   I know some of the readers of this site are experts in this sort of thing, so hopefully someone will answer my question.



Not using passwords that contain your dog’s name or the names of your kids or wife I understand.

Not using the word “password” or “pa$$word” in the password I understand.

I even understand not using ncc1701, klaatu, or clownq.

Yep, I get all that… but what I don’t get is the recommendation to change the password regularly.  Here is the way I see this.  You have a really good password that nobody has been able to hack and then you change it and change it again.  Effectively, you are saying, “OK you failed to hack that one, now try this one”.  Eventually you will produce a password that somebody will hack.  Indeed, by using multiple passwords you are saying – here, guess ANY of these.

One argument is that if you change your password regularly, say every 30 days, that limits the amount of damage that can be done.  Ummm, bull****.  A bad guy having a password can do all the damage that needs to be done in less than an hour.

So, experts, why are we supposed to regularly change our passwords?


8 Responses to “Password Protocol”

  1. Jeff gros says:

    Hi Mike,

    The idea of changing your password regularly has advantages and disadvantages, which depend on the situation in which it is applied.

    Would I change my bank password regularly? Probably not. As you say, the culprits can drain my accounts quickly enough. Of course, they would have to “man in the middle attack” my two factor authentication to do so.

    However, what about resources more related to information? Let’s say that you happen to work in a sensitive industry government/military/etc. Let’s also assume that your user credentials are somehow compromised. If you never change your password, then the attacker has access to your files forever. If you change it every month, then they only have access for one month. After that, they have to attempt to gain access again.

    Of course, this argument only holds if you don’t make the “dumb passwords” you listed above (such as pa$$word, etc), which will show up in any common attack dictionary. For this approach to work, you need strong passwords in which your attacker would need a brute force attack (or a lot of luck) to get in.

    I wouldn’t call myself an expert, so take this all with a grain of salt. Most of my knowledge comes from casual listening to Steve Gibson’s “Security Now” podcast (not that my comments here are necessarily his opinion of course). If you aren’t a listener, give it a try! I heartily recommend it. I listen every week!



  2. Bob Price says:

    Bruce Schneier recommends using a product such as Keypass and using passwords that are randomly generated from the greatest variety of characters permitted by each site as well as the greatest length permitted. Read his blog (search his archives for the specific articles) for more and better details.


    • Jon says:

      So what about this?


      Thoughts? Maybe I don’t understand info theory…

      • Jeff Gros says:

        This comic was presumably inspired off of Steve Gibson’s idea of a password haystack (https://www.grc.com/haystack.htm). Steve found that the idea was correct, but the math was a bit off. See this link for details (http://www.grc.com/sn/sn-313.htm).

        The idea is that assuming you choose a password which wouldn’t be found easily using a dictionary attack, then the attacker must use a brute force approach. In this case, after exhausting the dictionary, the attacker would likely start with all character combinations from lowest length to highest length.

        There are then two key factors for increasing password strength.

        First, is the character set. A character set of numbers only (0 -9) is easier to crack than alpha-numeric, plus special characters (dollar sign, etc).

        Second, is the password length. The longer the password is, the less likely the attacker is to guess it assuming they start from shortest to longest. So would the attacker choose to guess from shortest to longest? If the password is hashed, then yes. If the password is hashed, then there is no length restriction on the password, so it makes most sense to start from a known boundary.

        So if character set and length are the most important factors, then Steve Gibson argues, why not just create a password which is really long, but easy to remember? You could use anything ranging from song lyrics, to lines from a poem. Of course, these could show up in a dictionary too, so you should use some caution here. Steve Gibson also recommends adding some extra characters onto your password to help avoid this possibility, sort of like adding salt to a hash.

        The comic you reference is a prime example of something that is easy to remember but doesn’t even make a sentence when the words are combined.

    • Jeff Gros says:

      Yes, good point. Password managers are a great way of managing online passwords.

      I couldn’t find “Keypass”. Are you sure you didn’t mean “Keepass” (http://en.wikipedia.org/wiki/Keypass)? Keepass is nice because it is a free open source solution, so presumably some security researchers have looked at the source to ensure the crypto was implemented correctly. However, it doesn’t seem to support two factor authentication? I won’t do anything online without two factor authentication these days…

      Myself (and Steve Gibson), use Lastpass because it allows integration with cloud based two-factor authenticators such as the yubikey (http://www.yubico.com/yubikey). Lastpass is not free however, and has a yearly subscription. However, I do like the features.


  3. Apisak S. says:

    Hi Mike,

    There is password hacking technic called brute force attack. The time until your password get hacked is in metter of time and capable of hacker’s machine.
    Let say my machine is very good performance the strong password take time 1 year until hacked then weak password take time 5 minutes for hacked.

    Once you think your password are strong, you may not change your password forever. Then if I start hack you today, finally I would be able to hack you with in July 20, 2013.

    The policy to force people to change password is to make sure that no one will get hacked by this idea.

    Best Regards,
    Apisak S.

  4. GroovyD says:

    You guys are all nuts… passwords get hacked when someone gets ahold of the user database for a site using some bad programming practice bug like SQL injection. It doesn’t matter what your password is it is equally likely to be hacked in your lifetime as anyone else’s.

    • Apisak S. says:

      Yes, it’s true.

      In the other hand, company may spent million for security audit, security assert and implement strongly system. Unfortunately, they was hacked by authority to access resource as right access that was hacked password.
      The reason is because, strongly system would easily let authorized access as much as they have to.

      If we’re in the same boat, there are many lake that required to fixes.
      It’s not easy to make all in the same page then policy implemented to force someone to do something. :)

Leave a Reply