It seems there was recently a security breach at Yahoo that exposed more than 400,000 login credentials. When this is reported, it seems to always be accompanied by advice on making high quality passwords.
Well, I have a password question that challenges conventional password wisdom. I know some of the readers of this site are experts in this sort of thing, so hopefully someone will answer my question.
Not using passwords that contain your dog’s name or the names of your kids or wife I understand.
Not using the word “password” or “pa$$word” in the password I understand.
I even understand not using ncc1701, klaatu, or clownq.
Yep, I get all that… but what I don’t get is the recommendation to change the password regularly. Here is the way I see this. You have a really good password that nobody has been able to hack and then you change it and change it again. Effectively, you are saying, “OK you failed to hack that one, now try this one”. Eventually you will produce a password that somebody will hack. Indeed, by using multiple passwords you are saying – here, guess ANY of these.
One argument is that if you change your password regularly, say every 30 days, that limits the amount of damage that can be done. Ummm, bull****. A bad guy having a password can do all the damage that needs to be done in less than an hour.
So, experts, why are we supposed to regularly change our passwords?