Page 81 - Cyber Warnings
P. 81
be changed to either mrcoolguy@11 or mrcoolguy@2 and so on. These iterations do not aid in
increasing the complexity of the password significantly.
Additional research at Carleton University suggests that if an attacker is already aware of your
password, then it is highly unlikely that he will be warded off by a simple password change. In
some, cases an attacker might already have installed some malicious keylogger to grab all
future passwords. So changing passwords in this scenario would be an exercise in futility.
Finally, over the past few years, organizations such as the National Institute of Standards and
Technology (NIST) in the US and the National Technical Authority for Information Assurance
(CESG) in the UK have concluded that mandated password changes are often ineffective or
counterproductive.
RECOMMENDATION
So the question remains, how often does a password need to be changed? Unfortunately, there
is no definitive answer. Regularly changing your password is essential if you use the same
password everywhere and you have a strong suspicion to believe that your password has been
stolen. This should be done on all accounts that use the same password. Rather than changing
the single password regularly, a wise choice would be to use complex unique passwords for all
applications.
However, remembering unique passwords for all the applications is quite impossible - hence a
password vault like 1Password or LastPass must be used. These third-party applications come
with their own set of issues, but at this point it is a case of making a conscious risk acceptance
decision to eliminate the risks inherent in password reuse.
Which begs the question, what are good practices to use when creating a complex password?
Well known, security and privacy expert Bruce Schneier recommends the following:
1. Never reuse a password you care about. Even if you choose a secure password, the site it is
for could leak it because of its own incompetence.
2. Don't bother updating your password regularly. Sites that require 90-day -- or whatever --
password upgrades do more harm than good. Unless you think your password might be
compromised, don't change it.
3. Beware the ‘secret question.’ You don't want a backup system for when you forget your
password to be easier to break than your password.
4. Finally, if a site offers two-factor authentication, seriously consider using it. It is almost
certainly a security improvement.
CONCLUSION
In conclusion, the first step towards password security is to assess the risks and benefits to your
organization. Next, consider deploying alternative methods towards increasing security. Most
experts agree that mandating password expirations is an inconvenience to end-users without
81 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
