If safe practice is to change passwords regularly, why is it so difficult to do so?

vsboxerboy

2[H]4U
Joined
Oct 17, 2005
Messages
3,661
So, I'm switching to keepass and instead of using about 3 different passwords for everything, I'm going that route. Now, I'm setting up new passwords for my old accounts and it's sometimes so not intuitive to find out how and where to do so.

Example: my flickr account -

so you go to flickr then you have to
go to yahoo
no mention of password or settings so you have to click on your name itself
then go to settings
then account settings
then find the password and username one
and then you can change it

WTF? Why is this so complicated if it's recommended to change passwords at least every several months...
 
I have never changed the password for my gmail account. Its completely random characters with numbers, symbols and upper/lowercase characters.

I don't have to worry about someone getting it so i just leave it the same
 
I haven't changed the single password I use for about 5 years now. The password I use isn't super complex but can't be guessed (either by a random person or friend/family) and would not be crackable by a dictionary attack.

I think changing of passwords is overrated as long as you don't share your passwords or write them down.

antivirus software is also overrated, I haven't installed an antivirus software on any personal computers for about 10 years now and I have never had any problems. Although once a month I do an online antivirus scan. Even if you are browsing pr0n or torrenting a lot, you just have to be smart about it.
 
antivirus software is also overrated, I haven't installed an antivirus software on any personal computers for about 10 years now and I have never had any problems. Although once a month I do an online antivirus scan. Even if you are browsing pr0n or torrenting a lot, you just have to be smart about it.

yeah, that's a good idea.
 
The only thing that changing passwords on a schedule can help with is people that already know your password that shouldn't. There have been studies done recently.
 
I use different passwords for different needs, and change them every 2-3 months...

A online web-based password synchronization service would be great but its a double edge sword (idea!)
 
I haven't changed the single password I use for about 5 years now. The password I use isn't super complex but can't be guessed (either by a random person or friend/family) and would not be crackable by a dictionary attack.

Really? Hmm, I'm curious. Care to share what it is?
 
^lol

My problem was that I had 3 passwords that I normally used. 1 for secure things like banking, paypal, ebay. 2 for medium security things like gmail, facebook, etc. and 3 for low security things like forums, etc. and I'm worried that if someone knows one they know a lot more. Some 'forgot your password' options straight up give you the password - not just a reset option - and I reckon that anyone that knows enough about me could easily figure it out without too much trouble.

It sounds like a lot of people have a similar method (or even just 1 password!) but it gets confusing when you have one thing that requires your password to use a special character (non char or int such as & or _) and then ones that don't allow a special character. Or ones that require your password to be 14 characters long when others can't be more than 8...so annoying when requirements and restrictions so wildly contrast and contradict.
 
not using AV is asking for trouble, so you do a scan once a month, you visit a site that you normally trust thas has been compromised and gets past your no script via some new method, now your system is a bot for at least a month contributing to the virus / malware / spyware which can be running silently in the background on your computer, BUT, since you think AV is over rated, you wont know.

AV uses so little resources these days i think it is silly not to run at least one.
 
What pisses me off is where I work we have like 20 different passwords and they all expire at different intervals. Some will still expire even if you voluntary change it. Pisses me off, why not give everybody a RSA token and pin, and use those credentials for EVERYTHING? Stop using crappy proprietary software that can't support an external authentication system, bundle everything together, and have single sign on.
 
Ah, the conundrum of convenience vs. security. What would be convenient would be a single-sign-on system that all your services are compatible with. But having one account+password that grants access to all your services is inherently insecure.

The best thing you can do is be proactive by maintaining a user/password database that is itself password protected and just keep it up to date and backed up. You only 'really' have to remember one password. Fun - no. Secure - yes.

The reason why you need to change passwords often is two fold. First if someone else has already compromised your account but is only using it passively - you may never know. Change the password regularly and eventually they'll lose access. Second, a moving target is harder to hit than a still target. If it takes me a year to crack a password, but you change passwords every six months - then I'll never crack it in time. If however you never change your password - it may take a while but eventually I'll get in.
 
True having separate passwords is better, but think if you just have one VERY secure password/authentication method that fits all, it may be just as good, if better as there is no need to write it down anywhere.

At work I have a PINs database with all my passwords. If someone happened to compromise that it could be a security risk. But if they made everything work through my RSA token, then as long as I have that token with me, it's nearly impossible for someone to hack any of my accounts. If I lose my token, then if someone finds it they either wont know what it's for, and either way probably won't know my pin. That will buy me some time to get it canceled, at which point it's useless.

If I was in charge of an IT infrastructure, everything would work through tokens. If a system cannot be modified to authenticate through the token system, then we don't use it, period. We go with something else. Sadly IT rarely has a say in what apps are used. It's all political BS that makes things harder for everyone.

RFID would be pretty cool too. Basically the same card/fob that gives you access to the building, would also give you access to all IT systems. There would be some kind of group management system where the administrator could give access to doors, applications, specific functions of specific apps, all within one interface. Now that would be awesome. If a user is dismissed, one click removes every single access in one shot. No need to have a ticket flying to 20 different departments on the course of a week.
 
If it takes me a year to crack a password, but you change passwords every six months - then I'll never crack it in time. If however you never change your password - it may take a while but eventually I'll get in.

Wrong. It doesn't change the probability. I could just as easily change it to a password that you were right about to guess. It is ONLY useful for when people already know your password.
 
If you're going the route of keepass to store only 3 passwords, I think you should just memorize them. I have different passwords of low, medium, and high complexity memorized. I only use keepass to randomly generate and store separate passwords per website. There's pretty much one password per site, so that if one account gets compromised, the others won't.

I learned the hard way after having one of my passwords getting figured out, then the person tried it on other websites and it worked as well :(

Yes, there's the hassle of always having to have keepass, but it's not that big of a deal for me. There's even an Android app so I'll always have the passwords with me.
 
I think some of these online systems make it "difficult" b/c people are generally stupid. They will change their password and forget. If you're smart enough to change the pw at regular intervals, you're smart enough to find "change my pw" link. As long as its in a logical place, no complaints from me.

What pisses me off is where I work we have like 20 different passwords and they all expire at different intervals. Some will still expire even if you voluntary change it. Pisses me off...

<rant>
Where I work - we have a system that will delete the account if not logged in for 14 days. Not disable or lock...delete. WTF?!? If I ever meet up with the admin of that system...his/her first born son is getting a devastating kick to the ***s.

We tried (and continue to try) to get the different application devs to get behind an SSO type auth scheme - but they argue about which one to use. Then we end up with as many SSO type systems as applications. I don't mind having 300 passwords - I can handle having them all change at different intervals (we have one that changes every 43 days?!?) - but I get mega pissed when they lock/disable after non-use of some ridiculously short time frame :mad:.

...and when they set it so you can't use any of your last 100+ passwords (literally - we have a system that "remembers" the last 120 passwords). That's upsetting too. I've come to realize they do this just to make me hate them all.
</rant>
:( I need to update my resume.
 
Yeah, that's rough. I've gone fully the other way and am using Keepass for everything with long, randomly generated passwords unique for everything. I'm going to see how much of a pain it is not knowing my passwords and how I can adapt around that.

Really though, anything that takes a password should have the option to change it one or two clicks away from the login screen at most. Most websites have important links at the footer anyhow - a link should be there.
 
Back
Top