By Paul Ducklin
Until a few years ago, everyone received advice to change passwords on a regular and frequent basis, just because it was possible. But the idea was to reduce the length of time you’d be exposed if your password were breached since passwords provide the first line of defense to your personal and business devices.
Are password resets needed at all?
By all means, change your passwords whenever you like if you want to – and if you use a password manager, it’s easy to do just that.
But the only time you should feel compelled to change a password is when there is a clear and obvious reason to do so, and that’s if you think – or, worse still, know – that it might have been compromised.
Fortunately, in many or most recent data breaches (not all) where authentication data gets stolen, the crooks don’t end up with your actual password along with your login name.
Passwords usually are – or certainly should be! – stored in a hashed form, where the hash can be used to verify that a supplied password is correct, but can’t be wrangled backwards to reveal what the password was. As a result, most password exposures that arise from data breaches require that the crooks first crack your password by trying a long list of guesses until they find one that matches your password hash.
Simply put, the longer and more complex your password, the longer it will take for the crooks to crack it.They try the most obvious passwords first, so 123456 will probably be the very first one they try for each user; Pa55word! might be the 100,000th on their list; but they are unlikely to get round to trying VFRHFMNOLR5LAIVGDOW5UZRT for days, or months, or even years.
In other words, if a service provider notifies you that your password hash was acquired by crooks, you’ll nevertheless remain safe if you change your password before the crooks get round to cracking it.
Even if the breach happened weeks or months ago, you’ve probably still in a good position to beat the crooks to it, assuming you choose wisely in the first place – and if you use a password manager, it’s easy to do just that.
How quick are we?
A paper entitled (How) Do People Change Their Passwords After a Breach? that came out recently from Carnegie Mellon University in the US reveals that that a worrying number of us aren’t quick at all. The researchers found that very few of their participants reported intentions to change passwords after being notified that their passwords were compromised or reused, including because they believed in the “invincibility” of their passwords.
How good are we?
Disappointingly, even for the one-third who did change the relevant password, most took more than three months to get around to it, and many of those replaced their old passwords with weaker ones.
Even more intriguingly – though perhaps, with hindsight, not surprisingly – the researchers claim that those who did change passwords tended, on average, to pick a replacement that was more similar than before (measured by substring similarities) to all their other passwords.
In short, humans really aren’t good at randomness – but then, they aren’t very good at reacting to data breach advice either.
What to do?
- Don’t delay, do it today
If there’s a valid reason to change one of your passwords, do it right away. This will keep you ahead of the crooks
- Avoid taking shortcuts
Choose quality passwords. Crooks will spot any tricks or patterns you use in order to make your passwords different yet similar enough to remember easily. If you have u64b2vqtn5-fb for Facebook and u64b2vqtn5-tw for Twitter, the crooks will figure out the rest of your passwords with ease.
- You are not invincible
The crooks probably won’t crack your password if it’s 6GHENBIZMX3TTUHJTPQZTEKM, but why take the risk that they might?
- 2FA as an excuse won’t help
Don’t use 2FA as an excuse to choose a trivial password or to use the same one everywhere – it’s meant to be a second factor, not just a different sort of single factor.
(Paul Ducklin is the principal research scientist at Sophos).