Study: Frequent Password Changes Are Useless

Article

Article #2


I dunno this seems to be a weak argument, for home users and small businesses, but odds are this is more related to large businesses with hundreds to thousands of employees. However, here is the problem to make the passwords as quick as possible for such a large group, generators are used because no person has the time to randomly type keys to generate a password. what I am thinking is that they are discussing the process after that generation of switching out passwords and making sure people can use that login.

Although what makes me very skeptical about this "research" is that it is coming from Microsoft and they should be the last to talk about computer security. that aside, the problem is the users themselves as they are the ones ignorant about generating passwords, it is not that difficult to do, however, people do not want to go through the task of trying to remember "A22DfgHTT!!#%wfwe4535234%%@DSDSE##" as a password.

In the end, I would say to prolong the need to change your passwords, make them longer and more complex, it is that simple.

woa! i don't agree with that at all. although i didn't read the article, i just read the topic title.although i wouldn't suggest changing your password every week or avery month, i would suggest changing your passwords ever 3-4 months. normally, hackers will target specific victims and use programs to figure out passwords. but sometimes the non typical hacker could be someone you know where they try to figure out your password or saw you typing it one day, etc... that's why you should change your password every 3-4 months. not only that, but never use the same password for multiple site. for every site you have an account on, choose a different password.if microsoft is really saying frequent password changes are useless, then they are full of it! don't listen to them. i have a hard time believing they said that though so when i'm bored, i might just go ahead and read the article and comment further.

woa! i don't agree with that at all. although i didn't read the article, i just read the topic title.
although i wouldn't suggest changing your password every week or avery month, i would suggest changing your passwords ever 3-4 months. normally, hackers will target specific victims and use programs to figure out passwords. but sometimes the non typical hacker could be someone you know where they try to figure out your password or saw you typing it one day, etc... that's why you should change your password every 3-4 months. not only that, but never use the same password for multiple site. for every site you have an account on, choose a different password.

if microsoft is really saying frequent password changes are useless, then they are full of it! don't listen to them. i have a hard time believing they said that though so when i'm bored, i might just go ahead and read the article and comment further.

What's wrong with changing your password every week/month rather than 3-4 months if you can remember it? If someone has targeted you specifically, they're going to try all they can whether they know your password or not. If they saw you typing your password, shouldn't that be more reason to change your password more frequently? The chances that you have to change your password on the same day that someone saw you typing it is very slim as it is, anyways.

I also think using the same password on multiple sites is fine. Certainly easier to remember, in any case, unless you write down all your passwords. I think a solid non-guessable password is strong enough to prevent anyone from getting into any one of your accounts. If the person doesn't know you personally, then he/she probably won't know where you have other accounts, anyways.

I've never like Microsoft's customer support or help. The help web page is terrible, and I totally agree with you there.

if microsoft is really saying frequent password changes are useless, then they are full of it! don't listen to them. i have a hard time believing they said that though so when i'm bored, i might just go ahead and read the article and comment further.

Then i'll do it for you. The topic title is the same as the Yahoo! news article's title, but it is not as bad as the original article's title (referenced as "Article #2"): "Please do not change your password." None of them provide a reference to the original study, but the Yahoo! article, perhaps do to time constraints, avoided to mention much of what would have otherwise allowed for a different conclusion, which some of it is mentioned in the Boston Globe article, but at least the Yahoo! article references the Boston Globe article.
Now, let's look at the overall logic behind why they say not to do it:

Yahoo!s (parallel) Article:
Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "Thats about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.

Boston Globe's article:

Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after youve switched to a new one, Herley wrote. Thats about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.

Tell me that the reason for this isn't non-sequitur, and i'll request that you tell me why it isn't. For in what way does the fact that the hijacker will not wait to use the password for their own gain justify not changing passwords (frequently)? And i would hate to think this is some form of social engineering by one of Microsoft's own researchers to help out hijackers.

But now let us look at one of the reasons why this research may have been started:

Yahoo!s (parralel) article:
To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm.

Boston Globe's article:

In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. Its a high hurdle to clear.

However, out of the two articles, only the Boston Globe article admits that the Microsoft researcher doesn't necessarily believe that passwords should not be changed, and if read, one would realize that the Boston Globe's article title does not necessarily reflect what is written in the article itself. Whether or not the Boston Globe is accurately, then, representing the study is beyond me, but while there is a lot of mention about financial loss, it seems the study may have dealt more with how much IT red tape is present when trying to increase security.

someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "Thats about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.

well, there's a good point of view here, if someone hack your account, he won't wait for enter and mess with your files or messages. he will do this immediately. therefore, changing your password frequently is a kind of wasting your time.

on the another hand, i think changing your password after you know that your email for example is hacked is a reasonable solution. even some people think it doesn't make sense, but it is. if you lost a file or two, of course you don't want to lost the others. even if you lost all of your files or messages maybe you want to keep this account. so changing a password is the first thing you should do.

and still the most powerful way is creating a secure password, by using small and capital letter, using numbers and signs and always should be longer than 6 digits.

actually, there is nothing wrong with changing paswords every week. let's get even more extreme and say that people should change them every day. fact is, you don't have to. i pointed out that the typical hacker uses programs to hack accounts so whether you change your password daily or weekly wont help. the most common hacker techniques right now are fishing sites. it's easy, and targets the gullible. although it is more secure when you can change your password daily or weekly or even monthly, you really have to have a balance and weigh the pros and cons. so this is why i personally suggest changing a password every 3-4 months because there is a balance to it. although still frequent considering most people never change their passwords, it's wont take 3 hours out of your precious day when you're paranoid about being hacked. saint michael give a good example of what you should input as a password so you don't have to change it as often.

i did read the articles and it just blows me away about the ignorance. they use an example of a thief who found your house key and would use it right away rather than wait until the locks have been changed. this is wrong thinking because typical hackers like to play and they like to play undetected so if a typical hacker hacks your account, he will be logging on and off your account several times for months if it goes undetected so the house and key theory is a mute point.

also, you are sorta contradicting yourself in what you wrote. at first, your talking about a more secure account by changing your password every week. then you state that using the same password for every site is ok(a more insecure technique for security). listen. now i will tell you something right now. that is just BAD advice and i will tell you why. if you use the same password for every site, then all your accounts are pretty much linked together by the same password. what this does for a hacker is make his job easier because once he gets in to one of your accounts, he can have easy access to all of them. also, if this happens where you have the same password and one of your accounts get hacked, it's harder for the real owner to start changing all the passwords all at once if he has caught the hacker in his tracks. if a person uses a different password for each account, then people can rest assured that one one of his accounts is really a threat instead of all of them and a hacker wont be able to access other accounts with the same password

so with that said, i offered a suggestion in changing passwords every 3-4 months for a balance of time, energy and security. it's good advice. but if someone wants to change their password daily/weekly/monthly, by all means, that is even safer.

but i do want to stress that a lot of hacking attempts do occur by people you know believe it or not and those people can be proved to be more dangerous than a typical hacker. they just have to look under stored passwords or look over your shoulder, or they have some idea of what passwords you would use.

internet security should be taken seriously. that's why i am shocked to see these titles of articles floating around. some of the best sites i have been on offer internet security to the end user to help prevent hackers by not allowing someone to log in if the recorded ip does not match. from there, it might ask you a series of security questions just to verify who you are.

and that's another thing. when choosing a security question and answer, make it a hard one that very few people know. even your own friends and family. it should be personal to YOU. if you have trouble picking one, and they are all simple security questions, what i tend to do is answer to oppossite of what the question is asking. so if it's asking where you went to high school, put in your jr. high. if it's asking your favorite pets name, type your pets name backwords. those are easy security questions to guess so you want to be creative in how you answer so nobody can figure them out if they are trying to hack your account....especially if they know you and know the answers to simple security questions.

and yes, saint michael gave good advice. use at least 10 characters in your password(the more the better) and use numbers, lower case letters, capitol letters, and symbols. this is the easiest way to protect all of your accounts but not the only ways.

What's wrong with changing your password every week/month rather than 3-4 months if you can remember it? If someone has targeted you specifically, they're going to try all they can whether they know your password or not. If they saw you typing your password, shouldn't that be more reason to change your password more frequently? The chances that you have to change your password on the same day that someone saw you typing it is very slim as it is, anyways.
I also think using the same password on multiple sites is fine. Certainly easier to remember, in any case, unless you write down all your passwords. I think a solid non-guessable password is strong enough to prevent anyone from getting into any one of your accounts. If the person doesn't know you personally, then he/she probably won't know where you have other accounts, anyways.

I've never like Microsoft's customer support or help. The help web page is terrible, and I totally agree with you there.

actually, there is nothing wrong with changing paswords every week. let's get even more extreme and say that people should change them every day. fact is, you don't have to. i pointed out that the typical hacker uses programs to hack accounts so whether you change your password daily or weekly wont help. the most common hacker techniques right now are fishing sites. it's easy, and targets the gullible. although it is more secure when you can change your password daily or weekly or even monthly, you really have to have a balance and weigh the pros and cons. so this is why i personally suggest changing a password every 3-4 months because there is a balance to it. although still frequent considering most people never change their passwords, it's wont take 3 hours out of your precious day when you're paranoid about being hacked. saint michael give a good example of what you should input as a password so you don't have to change it as often.
i did read the articles and it just blows me away about the ignorance. they use an example of a thief who found your house key and would use it right away rather than wait until the locks have been changed. this is wrong thinking because typical hackers like to play and they like to play undetected so if a typical hacker hacks your account, he will be logging on and off your account several times for months if it goes undetected so the house and key theory is a mute point.

also, you are sorta contradicting yourself in what you wrote. at first, your talking about a more secure account by changing your password every week. then you state that using the same password for every site is ok(a more insecure technique for security). listen. now i will tell you something right now. that is just BAD advice and i will tell you why. if you use the same password for every site, then all your accounts are pretty much linked together by the same password. what this does for a hacker is make his job easier because once he gets in to one of your accounts, he can have easy access to all of them. also, if this happens where you have the same password and one of your accounts get hacked, it's harder for the real owner to start changing all the passwords all at once if he has caught the hacker in his tracks. if a person uses a different password for each account, then people can rest assured that one one of his accounts is really a threat instead of all of them and a hacker wont be able to access other accounts with the same password

so with that said, i offered a suggestion in changing passwords every 3-4 months for a balance of time, energy and security. it's good advice. but if someone wants to change their password daily/weekly/monthly, by all means, that is even safer.

but i do want to stress that a lot of hacking attempts do occur by people you know believe it or not and those people can be proved to be more dangerous than a typical hacker. they just have to look under stored passwords or look over your shoulder, or they have some idea of what passwords you would use.

internet security should be taken seriously. that's why i am shocked to see these titles of articles floating around. some of the best sites i have been on offer internet security to the end user to help prevent hackers by not allowing someone to log in if the recorded ip does not match. from there, it might ask you a series of security questions just to verify who you are.

and that's another thing. when choosing a security question and answer, make it a hard one that very few people know. even your own friends and family. it should be personal to YOU. if you have trouble picking one, and they are all simple security questions, what i tend to do is answer to oppossite of what the question is asking. so if it's asking where you went to high school, put in your jr. high. if it's asking your favorite pets name, type your pets name backwords. those are easy security questions to guess so you want to be creative in how you answer so nobody can figure them out if they are trying to hack your account....especially if they know you and know the answers to simple security questions.

and yes, saint michael gave good advice. use at least 10 characters in your password(the more the better) and use numbers, lower case letters, capitol letters, and symbols. this is the easiest way to protect all of your accounts but not the only ways.

Well, when I posted, I was kinda assuming you meant people who weren't gullible enough to fall for phishing scams. If a person is THAT incapable of spotting a scam, then changing passwords doesn't help whatsoever.

I realize I contradicted myself in my post, but it was purposeful. I wanted to bring in more perspectives of the case because I can see someone using those two arguments.

I completely agree with you about a moderation between changing passwords at given times and using hard-to-guess passwords.

I also DO use the same password for most sites, but I NEVER use the same username, if that's what you're berating me about

Changing passwords frequently would help in avoiding password attacks. An automated program that tries different passwords against a computer system would be harder if you change your password because by the time they figure out what your password is, you would have a different password.Three months is a long time between password changes but if you cut down that time to once a month, it would help maintain security because with a whole month of computation is a pretty reasonable amount of time for cracking a password.When somebody does see you typing a password, however, the only thing that you can do is to change your password much more frequently... like maybe twice a day? If they do manage to get into your account in the morning and think about all of the data that they want to get out of your account by the time they get back home, your password would have been changed and you've maintained the security of your account. The problem would be if they, however, change the password as soon as they get into your account, in which case you would have been locked out but as long as there's a password recovery mechanism that you can use, such as a forgot password email and the email account is not changeable by logging into your account or by sending a recovery code by SMS to your phone.