Change Your Password Twice a Year

CommanderFrank

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,400
Google is advocating a security checklist which includes changing your password twice a year and never using it again. Good advice from Google. Now if Street View would stop driving by my house, I would feel much safer. Maybe Google also will advise you to move twice a year and never go back. :D


Webroot's Brandt said that Google's advice for twice-yearly changes is reasonable. He thinks people should change their passwords as often as they can. "I change my passwords at least four times a year, but I'm a security nerd and use password manager software which generates the passwords and reminds me to change them."
 
Someone needs their tinfoil hat today... Street View is awesome, I'm just waiting for them to release higher quality 3-d models for licensing in video games...
 
I change my password everyday starting from blank to blank, blank to blank blank blank, ad infinitum. :D
 
dude its bad enuff being newhere with login in here passwerd there i got to many freaking PW's...:rolleyes:
 
Short of something approaching a single signon system changing web passwords that frequently isn't a realistic option due to the pita factor of hundreds of accounts. I'm still finding a few sites a year that have a password from low security set I nominally retired 5 years ago.
 
Am I the only one who thinks the "change your password often" is a waste of time and they should be promoting good passwords instead? It's not like a password has an expiration date, and after so many months no longer works.
 
I really hate these security people. If I went and starting changing my passwords twice a year I would never know what account went to what and would lose shit.
 
Am I the only one who thinks the "change your password often" is a waste of time and they should be promoting good passwords instead? It's not like a password has an expiration date, and after so many months no longer works.

It isn't that it has an expiration date, the point in chaning passwords is for 2 reasons, one it keeps somebody from being able to have an unlimited amount of time to brute force your password. the other reason is for IF they do manage to get your password, be it by packet sniffing, brute force, infecting you with a virus and stealing your password or any other method you would limit the amount of time they would be able to use your password.

sure by having a strong password you make it much harder to brute force in any reasonable amount of time, but now you are relying on the other side to store your password in a way that somebody isn't going to be able to steal it, or that you don't somehow get infected with a virus or other peice of malware that steals it.
 
I recall reading an article a few months ago on the front page suggesting that changing your password does not improve security. Anyone else remember that one?
 
shyte, you mean i shouldnt' use password for all my passwords?
 
I like how my bank and Paypal does it. I enter in my user name and my password, then they send me a SMS text on my cell phone with a random number that is only good for 30 seconds. I have to then type that into the website before it lets me login.

So, to get into my account, you need to know my user name, my password, and have possession of my cell phone. Kinda takes the fun out of hacking user accounts.
 
It isn't that it has an expiration date, the point in chaning passwords is for 2 reasons, one it keeps somebody from being able to have an unlimited amount of time to brute force your password. the other reason is for IF they do manage to get your password, be it by packet sniffing, brute force, infecting you with a virus and stealing your password or any other method you would limit the amount of time they would be able to use your password.

sure by having a strong password you make it much harder to brute force in any reasonable amount of time, but now you are relying on the other side to store your password in a way that somebody isn't going to be able to steal it, or that you don't somehow get infected with a virus or other peice of malware that steals it.

All those point have to do with someone getting your password, and as such, changing it often would have no effect, as the person would still have access for about 6 months if you are going by the suggestion. And if the site does not store the passwords in a "safe" way, then what good will changing the password do? I see allll the time news reports of people using TrueCrypt with good passwords and some part of the gov using a supercomputer to try and bruteforce it for months/years without any luck, which is amazing since there is no network bandwidth limit factoring in.

Also, if your rig is compromised by some form of infection, and you don't know about it, again, changing the password would have no effect and if you do know about it, you would remove it and should change all passwords to be safe.

I recall reading an article a few months ago on the front page suggesting that changing your password does not improve security. Anyone else remember that one?

As do I, it had to do with the myth being started by banks I believe?
 
It isn't that it has an expiration date, the point in chaning passwords is for 2 reasons, one it keeps somebody from being able to have an unlimited amount of time to brute force your password. the other reason is for IF they do manage to get your password, be it by packet sniffing, brute force, infecting you with a virus and stealing your password or any other method you would limit the amount of time they would be able to use your password.

sure by having a strong password you make it much harder to brute force in any reasonable amount of time, but now you are relying on the other side to store your password in a way that somebody isn't going to be able to steal it, or that you don't somehow get infected with a virus or other peice of malware that steals it.

Yea but who gives a fuck unless its a bank or CC site? Of course lets not forget steam, which I am sure would probably lock the account if someone tried to brute force.

OMG someone stoles my [H]ardform password! It really isn't as bad as most security people make it out to be online.
 
It sounds good in theory, but a nightmare in practice for average users. We're all creatures of habit, for better or worse. One must have perfect record-keeping of all sites they registered and remember to change it all at some point. That just doesn't realistically happen for most people. I think I'm far more likely to get keylogged than brute-forced within 2 years. It's about as unrealistic as using a different password for every account you use. Sure you should have an important password and a junk one, but no one's going to realistically remember a dozen passwords for different accounts.
 
None of my accounts have ever been hacked besides my Google one a few months back.

I only use a couple passwords, one of them containing letters an numbers, yet that one was hacked on ebay. I changed it again to include a capital letter and a special character and it seems to've fixed it.

Hackers can screw themselves.
 
any good websites that generate those tough passwords like hostgator use to have? I miss that page :(
 
dude its bad enuff being newhere with login in here passwerd there i got to many freaking PW's...:rolleyes:

I have no idea what you just said there... :confused:

I always find one password for my recovery email and another password for everything else works out well. Work and my 40+ passwords is a different story though...
 
Well, personally, since people can just walk by my house and look at it, I don't really care about street view...
 
I noticed a trend of some forums forcing this. The forums that force this will be the ones I no longer use. I've had passwords for 7 years that are the same, with no problems. If nobody has the password now, why would they suddenly have it a year from now if nothing has changed?
 
i have no clue what my passwords are, i wouldnt recognize them if i saw them. i just put my fingers on the keyboard and play some piano music. my bank password is about 50 characters long and takes 10 seconds to play.
 
I recall reading an article a few months ago on the front page suggesting that changing your password does not improve security. Anyone else remember that one?

I can think of two reasons why easily.

1. You can change the password all day, but if you choose safety parameters that everyone who knows you knows (Your mother maiden name, the name of your high school, your dog's name etc) then it's worthless. The same goes with choosing typical passwords that people who know you can guess easily.

2. People tend to remember 3-4 passwords and use them in various places, so if one falls, suddenly 10-20 sites are now vulnerable.
 
I recall reading an article a few months ago on the front page suggesting that changing your password does not improve security. Anyone else remember that one?

because frequently changing it results in people having to write it down, or save it in a non safe file, thus defeating the whole reason to change your password.
 
In the end Google doesnt want anyone to get your information.....











only they are allowed to do that!
 
I noticed a trend of some forums forcing this. The forums that force this will be the ones I no longer use. I've had passwords for 7 years that are the same, with no problems. If nobody has the password now, why would they suddenly have it a year from now if nothing has changed?

Because everyday new people are getting into hacking / phreaking / cracking? it is not like all the current people who do this will just stop one day, new people get into it.

One day H could be compromised from a VB update and poof, there goes your password all over the net.
 
Back
Top