Passwords have become more susceptible to hacking in recent times as more sophisticated hacking equipments are released into the market. A recent gadget sold for as low as $5 is reported to have the capability of hacking password-protected computers in just one minute. Recently, WhatsApp took steps to ensure that passwords are not easily broken into by adding a two-step verification passcode for new users.
In Nigeria experts are urging people and companies to protect their password and change them if they are not strong enough. What is not said often enough is how regularly a password should change?
The answer could vary from one to another. But it is important to know what really works and we have tried to summarize thoughts from different experts.
Writing in a blog article, Lorrie Cranor, chief technologist of US Federal Trade Commission, said “Not as often as you might think. There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps are not taken to correct security problems.”
She further explains that mandatory password changes are a long-standing security practice designed to periodically lock out unauthorized users who have learned users’ password. In recent times she wrote, new research has shown that this practice may actually be less beneficial than it was previously believed.
A study conducted by researchers of the Carleton University suggested that an attacker will systemically attempt to guess every possible password until they guessed the user’s password. Attackers who know that users must create new passwords periodically will start the process over again if they do not guess a user’s password after exhausting all guesses. Today, attackers who have access to the hashed password file can perform offline attacks and guess large numbers of passwords.
The Carleton researchers demonstrated mathematically that frequent password changes only hamper such attackers a little bit, probably not enough to offset the inconvenience to users, Cranor wrote.
“So, should you ever change your password?” Cranor asked, “Well, sometimes. If you have reason to believe your password has been stolen, you should change it, and make sure you change it on all of your accounts where you use the same or a similar password. If you shared your password with a friend, change it. If you saw someone looking over your shoulder as you were typing your password, change it. If you think you might have just given your password to a phishing website, change it. If your current password is weak, change it. If it will make you feel better or if you just feel like it’s time for a change, then by all means go ahead and change your password.”
