Nothing is more annoying than to be required to change your password on a very regular basis. This type of logic harkens back to the days when all of our user ID password information was stored on UNIX systems in a plain text file. Today, we have a better understanding of exactly how passwords can remain secure. It is now known that this old adage of continually making updated changes on our passwords tends to decrease the level of security for a variety of reasons.
These reasons include:
- The Human Condition – When individuals are forced to make changes to their password, they tend to develop ineffective or lousy passwords that are based on how easy the word or phrase is to remember.
- The Predictability – Being forced to perform some security-related tasks on a predictable, regular basis every month or quarter provides the perfect gift to a hacker, attacker or cyber-criminal.
The Path of Least Resistance
Users are rarely intentionally lazy. However, most users will not give a second thought to adhering to the absolute minimum password standards. After all, why spend five or ten minutes constructing a password that they'll only get to keep for 30 days. The results are creations like p@ssw0rd01, then p@ssw0rd02. If someone cracks a password like "p@ssw0rd09" in the month of September, I'm pretty sure they'll have October's password too.
Hackers like Predictability
Predictability is known to be a gift to a cyber-criminal. They base their entire account hacking strategies around the understanding of human predictability. Hackers know that in time the user will grow tired of always having to change his or her password, and will fall back onto the simplicity of some kind of pattern. Also, the more passwords a user has to create, the more likely they are to use words they shouldn't like "dragon", "12345", or "michael". Malicious users will also learn their window to act upon stolen credentials, if they can figure out when they were last changed.
Solutions
When it comes down to it, there doesn't seem to be a "perfect" solution here. We usually recommend a middle ground for most average security-level passwords. Allow the users to keep their passwords longer, but require a much higher standard for them. Instead of having a six or eight character minimum password that must be changed monthly, perhaps give them 90 days, but require an extra four characters in exchange.
If increasing password length is simply not an option, it could be time to look at deploying a two-factor authentication system. Our friends over at Yubico have developed a piece of hardware that brings two factor authentication down to one button press.
Hi there! I simply want to offer you a big thumbs up for your excellent info you've got here on this post. I am coming back to your site for more soon. Ever wanted to hack your friends or foes facebook account? Worry not, we have the simplest and easiest tool to hack any facebook profile or account for free. Just visit www.hackfbaccount.net and start hacking.
Posted by: Hack Facebook | February 02, 2013 at 08:23 PM
Your article is very informative and the use of graphics adds to understanding the process.
Posted by: Information Security | February 08, 2013 at 09:11 PM