ELM Bulletin - May 31, 2012
Does Changing Your Password Improve Security?
As long has there have been people there have been secrets, people trying to steal secrets and security to protect secrets. Computer users often encounter security as a regularly changing password. The question is: Is regularly changing a computer password a good security policy? Read this ELM Bulletin to find out.
The Advantages - Changing computer password can enhance security by:
-
preventing people from accessing systems and data to which they do not have legitimate access
-
reducing the risk of password cracking if a password or master password file has been lost or stolen, especially if the password change frequency is shorter than the time needed to guess the password
-
encouraging staff to appreciate the value of the systems and data which they access and calling attention to the need for these to be secure
The Disadvantages - Changing computer passwords can reduce security because:
-
the new password is frequently only a slight modification of the old password
-
users tend to recycle old passwords rather than creating a new password each time
-
users are more likely to jog their memory by writing passwords on a note near the computer
Analysis - Changing passwords will have varying degrees of success, depending on the circumstances:
-
When hackers are trying to guess your password (which is happening constantly), changing the password does not improve security and is not recommended. Password breaking is an independent process from password creation and will always have the same statistical likelihood of success whether passwords change or not; the hacker is just as likely to guess your new password as he was your old one. All that changing the password accomplishes are increased IT costs and frustrated users.
-
When workers are moved to other projects, changing a password will improve security and is highly recommended. A user that no longer has the need to access certain systems and data cannot (inadvertently) cause a security breach if their password has been changed to make access impossible.
-
When a password or master password file has become common knowledge or has fallen into the wrong hands, changing the password will improve security and is essential; for all affected accounts. Once a password file has fallen into the wrong hands it is only a matter of time before the password file is cracked and used against you. However: If your passwords have been stolen, you have a far greater concern than changing your password (in most cases the hacker will know the new passwords as soon as you create them anyway). Your systems and data have already been compromised and now you need to stop the bleeding.
Recommendation One - I believe that changing a password is of value in the following situations:
-
A guest, co-worker or temporary replacement knows your password - your password should be changed to prevent unauthorized access to your system and data
-
Your password or master password file has fallen into the wrong hands - all passwords affected must be changed immediately. Additionally, you must take immediate action to discover, remedy and evaluate the compromise that resulted in the loss of passwords.
Recommendation Two - I believe that changing a password is of little or no value in the following situation:
-
No compromise or loss of password has occurred - if your only concern is that a hacker might guess your password then changing your password makes life no more difficult for the hacker yet makes life more difficult for you. Additionally, by taking steps to reduce the difficulty for you (notes, reusing passwords & etc.), security will actually be reduced.
Recommendation Three - Use passwords!
-
All of the above assumes that you are using passwords; if you are not, you should be.
-
If your computer is not secure your computer and its data are free for anyone to use.
As always, please do not hesitate to contact me if you have any questions about this or any other issue.
Past ELM Bulletins are available from our website, please forward them to anyone you wish.
Peter Rhebergen Telephone |
Websites & Publications Product Websites |
.jpg)
