Tag Archives: Passwords

Mandatory Password Changes – A Good Idea?

For a decade the feds recommended frequent password changes. A couple of years ago NIST changed their mind and said it was the worst recommendation they ever made. Still a lot of companies and regulators require frequent password changes. Is that a good idea?

Microsoft used to recommend frequent password changes. Their current guidance:

According to Microsoft, requiring users to change their passwords frequently does more harm than good.

Humans are notoriously resistant to change. When a user is forced to change their password, they will often come up with a new password that is based on their previous password. A user might, for example, append a number to the end of their password and then increment that number each time that a password is required. Similarly, if monthly password changes are required, a user might incorporate the name of a month into the password and then change the month every time a password change is required (for example, MyM@rchP@ssw0rd).

Again, people are creatures of habit:

What is even more disturbing is that studies have proven that it is often possible to guess a user’s current password if you know their previous password. In one such study, researchers found that they were able to guess 41% of user’s current passwords within three seconds if they knew the user’s previous password.

On the other hand Larry Ponemon says that it takes, on average, 207 days to identify a breach. If you don’t make users change passwords, then the bad guys have access for that long. If you make users change passwords every 90 days, then maybe you limit that access.

Of course, if you require two factor authentication and you do that robustly, knowing someone’s password isn’t that helpful.

So what should you do? Fix the underlying problems:

  • Make users choose strong passwords
  • Use password managers
  • Check selected passwords against a compromised password list
  • Implement a self service password reset solution
  • Implement multifactor authentication

So there is no good or bad answer; just a business risk decision. Personally, if you implement the items in red above, you can reduce password change frequency safely.

On the other hand, if you have a regulator who says you have to change passwords, then you really don’t have a choice, but that is a small minority. Credit: Hacker News

Sharing Passwords – Everyone Does It

Do you know the password to your spouse’s computer?

What about his or her social media accounts?

His or her email accounts?

Not married, just friends, maybe with benefits – what about his or her passwords?

We will get to work passwords in a minute.

ExpressVPN asked 1,500 American adults in an exclusive but not married relationship about their password sharing habits.

Couples, they say, share a variety of passwords and, most commonly, within the first six months of dating. What could possibly go wrong?

Here is what ExpressVPN found:

The most commonly shared passwords are for video streaming (78%).

Followed by mobile devices – nothing sensitive on your phone I am sure (64%).

Then comes music streaming (58%).

47% share social media passwords and 38% share email passwords.

Respondents said that sharing passwords is most indicative of trust (70%), commitment (63%), intimacy (54%), marriage-material (51%), affection (48%), and vulnerability (47%).

Given that half of Americans who marry get divorced and lots of people don’t even get married any more, the idea of sharing passwords might have some “long term” problems – as in when one of you moves on.

Now lets move to work passwords. Everyone has their own userid and password, but in many companies, the way that account setup is done, so does IT and sometimes, even your boss knows. Sometimes, even your coworkers, even if that is against company policy.

FYI, if something bad happens and you want to prosecute the employee, if you are one of the above companies, you better have some really good evidence (it is possible, but hard).

In many companies, employees, especially within a department, share passwords to some cloud services, such as those that charge by the user.

And IT often has “system” passwords – ones that “have to” be shared.

And don’t forget passwords to Internet of Things devices like, for example, your Alexa.

Lets say that at some point the magic fades.

If you are not married you split. If you are married you get divorced. If you are employed, you leave, voluntarily or otherwise. If you are a vendor to a company, the company changes vendors.

In any of these cases, do you know what passwords are at risk? In many cases, the answer is no.

If the separation is “less than friendly” – whether work or personal – can you change the at risk passwords quickly?

Do you know if the other person has downloaded your data – business or personal – before the split?

Everyone wants to assume that people are honest and that bad things won’t happen but the percentage of employees, for example, who take data with them when they leave is high. In 2015 Biscom did a survey. 87% of employees took data with them that they created and 28% took data that others created. While these numbers are old, they are probably still in the ballpark.

Most companies don’t change passwords when employees leave because it is logistically challenging, but especially with IT folks, if they are disgruntled, they can and have done major damage. Likewise scorned lovers have done their share of damage too. All you need to do is check out the news from time to time.

Like I said, no one wants to think that relationships, business or personal, will end and even fewer think that they will end badly.

To quote Maya Angelou: “Hoping for the best, prepared for the worst, and unsurprised by anything in between.”

Just a suggestion.

Credit: ZDnet

Facebook Stored Millions (Billions?) of Passwords Unencrypted for Years

Seems like Facebook can’t catch a break.  Whether it is Cambridge Analytica or one of the many other scandals plaguing the company, it seems like the only news coverage they get is bad coverage.

This time it is information that Facebook logged users’ passwords in plain text for anyone to read, stored those logs on internal company servers and gave access to that data to tens of thousands of employees.

Other than that Mrs. Lincoln, how was the play tonight?

The internal investigation, which began in January and is still ongoing, discovered that 2,000 employees made 9 million queries for data elements that contained plain text user passwords.

Facebook says that the passwords were logged in plain text “inadvertently”.  Possibly, but since protecting passwords is like programming 101 or maybe even programming 001, how could that be?

Facebook now says that they plan to tell people that their passwords were exposed.   Sometime.  They did post an announcement of the situation, here.

Facebook says that they will need to notify hundreds of millions of Facebook light users (light is the version that is used in the places where bandwidth is at a premium), tens of millions of other Facebook users and tens of thousands of Instagram users.

So what should you do?

I would recommend changing your Facebook password no matter whether you receive notice from them or not.

If you use the same password on any other web sites, change those passwords too.

Enable two factor authentication on the Facebook web site.  This is very simple to do and provides a lot of extra protection.

Review what third party apps you have given permission to access your Facebook data.

If you were sharing passwords between web sites, this is perfect reason not to do that.  Using a password manager makes it a lot easier to use unique passwords.

Facebook supports using an authenticator app such as Authy or Google Authenticator as the second factor rather than text messages.  It APPEARS that if you have a phone number associated with your account, they insist on allowing you to use that in an emergency.  Which means a hacker can declare an emergency.  Remove your phone number from your account to solve that problem.  Probably a good idea anyway.

Information for this post came from Brian Krebs.


100 Worst Passwords of 2017

Splashdata, who makes password management software, releases a list of the top compromised passwords.

They did this by collecting five million compromised passwords and analyzing them.

The top password this year is, again, 123456 .

The number two password is, yes, password .

Number three is 12345678 .

You can read the article to get all the rest of them, but it doesn’t get better when you go down the list.   Number 11 is admin; number 14 is login.  Number 16 is starwars .

After all of the articles that talk about selecting good passwords, 123456 is still number one.

Hopefully those compromised passwords did not include access to your bank account, but I wouldn’t even bet on that.

PLEASE, choose good passwords, do not reuse passwords across web sites and use a password manager.

The part about not reusing passwords is the toughest because we have so many of them.  That is why using a password manager is important.  That way you only have to remember one password.

Information for this post came from PC Magazine.