Article
Article #2
I dunno this seems to be a weak argument, for home users and small businesses, but odds are this is more related to large businesses with hundreds to thousands of employees. However, here is the problem to make the passwords as quick as possible for such a large group, generators are used because no person has the time to randomly type keys to generate a password. what I am thinking is that they are discussing the process after that generation of switching out passwords and making sure people can use that login.
Although what makes me very skeptical about this "research" is that it is coming from Microsoft and they should be the last to talk about computer security. that aside, the problem is the users themselves as they are the ones ignorant about generating passwords, it is not that difficult to do, however, people do not want to go through the task of trying to remember "A22DfgHTT!!#%wfwe4535234%%@DSDSE##" as a password.
In the end, I would say to prolong the need to change your passwords, make them longer and more complex, it is that simple.
| |
|
Welcome to KnowledgeSutra - Dear Guest 
, Please Register here to get Your own website. - Ask a Question / Express Opinion / Reply
w/o Sign-Up!
| |
0
7 replies to this topic
#2
-
- Kontributors
-
- 2,704 posts
I wont bite...unless you WANT me too
- Gender:Male
- Location:Chilhowee, MO
- Interests:watching grass grow....
- myCENT:62.06
-
Posted 15 April 2010 - 10:22 PM
woa! i don't agree with that at all. although i didn't read the article, i just read the topic title.
although i wouldn't suggest changing your password every week or avery month, i would suggest changing your passwords ever 3-4 months. normally, hackers will target specific victims and use programs to figure out passwords. but sometimes the non typical hacker could be someone you know where they try to figure out your password or saw you typing it one day, etc... that's why you should change your password every 3-4 months. not only that, but never use the same password for multiple site. for every site you have an account on, choose a different password.
if microsoft is really saying frequent password changes are useless, then they are full of it! don't listen to them. i have a hard time believing they said that though so when i'm bored, i might just go ahead and read the article and comment further.
although i wouldn't suggest changing your password every week or avery month, i would suggest changing your passwords ever 3-4 months. normally, hackers will target specific victims and use programs to figure out passwords. but sometimes the non typical hacker could be someone you know where they try to figure out your password or saw you typing it one day, etc... that's why you should change your password every 3-4 months. not only that, but never use the same password for multiple site. for every site you have an account on, choose a different password.
if microsoft is really saying frequent password changes are useless, then they are full of it! don't listen to them. i have a hard time believing they said that though so when i'm bored, i might just go ahead and read the article and comment further.
#3
-
- Kontributors
-
- 101 posts
Advanced Member
- Gender:Male
- Location:<?php echo __FILE__; ?> in other words, right behind you.
- myCENT:50.57
Posted 15 April 2010 - 11:12 PM
anwiii, on Apr 15 2010, 05:22 PM, said:
woa! i don't agree with that at all. although i didn't read the article, i just read the topic title.
although i wouldn't suggest changing your password every week or avery month, i would suggest changing your passwords ever 3-4 months. normally, hackers will target specific victims and use programs to figure out passwords. but sometimes the non typical hacker could be someone you know where they try to figure out your password or saw you typing it one day, etc... that's why you should change your password every 3-4 months. not only that, but never use the same password for multiple site. for every site you have an account on, choose a different password.
if microsoft is really saying frequent password changes are useless, then they are full of it! don't listen to them. i have a hard time believing they said that though so when i'm bored, i might just go ahead and read the article and comment further.
although i wouldn't suggest changing your password every week or avery month, i would suggest changing your passwords ever 3-4 months. normally, hackers will target specific victims and use programs to figure out passwords. but sometimes the non typical hacker could be someone you know where they try to figure out your password or saw you typing it one day, etc... that's why you should change your password every 3-4 months. not only that, but never use the same password for multiple site. for every site you have an account on, choose a different password.
if microsoft is really saying frequent password changes are useless, then they are full of it! don't listen to them. i have a hard time believing they said that though so when i'm bored, i might just go ahead and read the article and comment further.
What's wrong with changing your password every week/month rather than 3-4 months if you can remember it? If someone has targeted you specifically, they're going to try all they can whether they know your password or not. If they saw you typing your password, shouldn't that be more reason to change your password more frequently? The chances that you have to change your password on the same day that someone saw you typing it is very slim as it is, anyways.
I also think using the same password on multiple sites is fine. Certainly easier to remember, in any case, unless you write down all your passwords. I think a solid non-guessable password is strong enough to prevent anyone from getting into any one of your accounts. If the person doesn't know you personally, then he/she probably won't know where you have other accounts, anyways.
I've never like Microsoft's customer support or help. The help web page is terrible, and I totally agree with you there.
#4
-
- [MODERATOR]
-
- 3,216 posts
Coincidence is non-sequitur, therefore everything has a reason for its existence (except if they are eternal).
- Gender:Male
- Location:No, not there. Not there either. Yes, you'll never figure it out.
- Interests:God, Christianity.
- myCENT:86.16
Posted 15 April 2010 - 11:45 PM
anwiii, on Apr 15 2010, 06:22 PM, said:
if microsoft is really saying frequent password changes are useless, then they are full of it! don't listen to them. i have a hard time believing they said that though so when i'm bored, i might just go ahead and read the article and comment further.
Now, let's look at the overall logic behind why they say not to do it:
Quote
Yahoo!s (parallel) Article:
Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.
Boston Globe's article:
Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.
Boston Globe's article:
Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
But now let us look at one of the reasons why this research may have been started:
Quote
Yahoo!s (parralel) article:
To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm.
Boston Globe's article:
In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.
To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm.
Boston Globe's article:
In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.
#5
-
- Kontributors
-
- 1,385 posts
"french rose sparkle under moonlight"...do you believe in the magic of moonlight??!!...
- Gender:Female
- Location:US, CA
-
Interests:internet and the web
reading books
sport
watching tv series
drawings and art - myCENT:12.10
-
Posted 16 April 2010 - 12:13 AM
Quote
someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.
well, there's a good point of view here, if someone hack your account, he won't wait for enter and mess with your files or messages. he will do this immediately. therefore, changing your password frequently is a kind of wasting your time.
on the another hand, i think changing your password after you know that your email for example is hacked is a reasonable solution. even some people think it doesn't make sense, but it is. if you lost a file or two, of course you don't want to lost the others. even if you lost all of your files or messages maybe you want to keep this account. so changing a password is the first thing you should do.
and still the most powerful way is creating a secure password, by using small and capital letter, using numbers and signs and always should be longer than 6 digits.
#6
-
- Kontributors
-
- 2,704 posts
I wont bite...unless you WANT me too
- Gender:Male
- Location:Chilhowee, MO
- Interests:watching grass grow....
- myCENT:62.06
-
Posted 16 April 2010 - 12:36 AM
actually, there is nothing wrong with changing paswords every week. let's get even more extreme and say that people should change them every day. fact is, you don't have to. i pointed out that the typical hacker uses programs to hack accounts so whether you change your password daily or weekly wont help. the most common hacker techniques right now are fishing sites. it's easy, and targets the gullible. although it is more secure when you can change your password daily or weekly or even monthly, you really have to have a balance and weigh the pros and cons. so this is why i personally suggest changing a password every 3-4 months because there is a balance to it. although still frequent considering most people never change their passwords, it's wont take 3 hours out of your precious day when you're paranoid about being hacked. saint michael give a good example of what you should input as a password so you don't have to change it as often.
i did read the articles and it just blows me away about the ignorance. they use an example of a thief who found your house key and would use it right away rather than wait until the locks have been changed. this is wrong thinking because typical hackers like to play and they like to play undetected so if a typical hacker hacks your account, he will be logging on and off your account several times for months if it goes undetected so the house and key theory is a mute point.
also, you are sorta contradicting yourself in what you wrote. at first, your talking about a more secure account by changing your password every week. then you state that using the same password for every site is ok(a more insecure technique for security). listen. now i will tell you something right now. that is just BAD advice and i will tell you why. if you use the same password for every site, then all your accounts are pretty much linked together by the same password. what this does for a hacker is make his job easier because once he gets in to one of your accounts, he can have easy access to all of them. also, if this happens where you have the same password and one of your accounts get hacked, it's harder for the real owner to start changing all the passwords all at once if he has caught the hacker in his tracks. if a person uses a different password for each account, then people can rest assured that one one of his accounts is really a threat instead of all of them and a hacker wont be able to access other accounts with the same password
so with that said, i offered a suggestion in changing passwords every 3-4 months for a balance of time, energy and security. it's good advice. but if someone wants to change their password daily/weekly/monthly, by all means, that is even safer.
but i do want to stress that a lot of hacking attempts do occur by people you know believe it or not and those people can be proved to be more dangerous than a typical hacker. they just have to look under stored passwords or look over your shoulder, or they have some idea of what passwords you would use.
internet security should be taken seriously. that's why i am shocked to see these titles of articles floating around. some of the best sites i have been on offer internet security to the end user to help prevent hackers by not allowing someone to log in if the recorded ip does not match. from there, it might ask you a series of security questions just to verify who you are.
and that's another thing. when choosing a security question and answer, make it a hard one that very few people know. even your own friends and family. it should be personal to YOU. if you have trouble picking one, and they are all simple security questions, what i tend to do is answer to oppossite of what the question is asking. so if it's asking where you went to high school, put in your jr. high. if it's asking your favorite pets name, type your pets name backwords. those are easy security questions to guess so you want to be creative in how you answer so nobody can figure them out if they are trying to hack your account....especially if they know you and know the answers to simple security questions.
and yes, saint michael gave good advice. use at least 10 characters in your password(the more the better) and use numbers, lower case letters, capitol letters, and symbols. this is the easiest way to protect all of your accounts but not the only ways.
i did read the articles and it just blows me away about the ignorance. they use an example of a thief who found your house key and would use it right away rather than wait until the locks have been changed. this is wrong thinking because typical hackers like to play and they like to play undetected so if a typical hacker hacks your account, he will be logging on and off your account several times for months if it goes undetected so the house and key theory is a mute point.
also, you are sorta contradicting yourself in what you wrote. at first, your talking about a more secure account by changing your password every week. then you state that using the same password for every site is ok(a more insecure technique for security). listen. now i will tell you something right now. that is just BAD advice and i will tell you why. if you use the same password for every site, then all your accounts are pretty much linked together by the same password. what this does for a hacker is make his job easier because once he gets in to one of your accounts, he can have easy access to all of them. also, if this happens where you have the same password and one of your accounts get hacked, it's harder for the real owner to start changing all the passwords all at once if he has caught the hacker in his tracks. if a person uses a different password for each account, then people can rest assured that one one of his accounts is really a threat instead of all of them and a hacker wont be able to access other accounts with the same password
so with that said, i offered a suggestion in changing passwords every 3-4 months for a balance of time, energy and security. it's good advice. but if someone wants to change their password daily/weekly/monthly, by all means, that is even safer.
but i do want to stress that a lot of hacking attempts do occur by people you know believe it or not and those people can be proved to be more dangerous than a typical hacker. they just have to look under stored passwords or look over your shoulder, or they have some idea of what passwords you would use.
internet security should be taken seriously. that's why i am shocked to see these titles of articles floating around. some of the best sites i have been on offer internet security to the end user to help prevent hackers by not allowing someone to log in if the recorded ip does not match. from there, it might ask you a series of security questions just to verify who you are.
and that's another thing. when choosing a security question and answer, make it a hard one that very few people know. even your own friends and family. it should be personal to YOU. if you have trouble picking one, and they are all simple security questions, what i tend to do is answer to oppossite of what the question is asking. so if it's asking where you went to high school, put in your jr. high. if it's asking your favorite pets name, type your pets name backwords. those are easy security questions to guess so you want to be creative in how you answer so nobody can figure them out if they are trying to hack your account....especially if they know you and know the answers to simple security questions.
and yes, saint michael gave good advice. use at least 10 characters in your password(the more the better) and use numbers, lower case letters, capitol letters, and symbols. this is the easiest way to protect all of your accounts but not the only ways.
Rigaudon, on Apr 15 2010, 06:12 PM, said:
What's wrong with changing your password every week/month rather than 3-4 months if you can remember it? If someone has targeted you specifically, they're going to try all they can whether they know your password or not. If they saw you typing your password, shouldn't that be more reason to change your password more frequently? The chances that you have to change your password on the same day that someone saw you typing it is very slim as it is, anyways.
I also think using the same password on multiple sites is fine. Certainly easier to remember, in any case, unless you write down all your passwords. I think a solid non-guessable password is strong enough to prevent anyone from getting into any one of your accounts. If the person doesn't know you personally, then he/she probably won't know where you have other accounts, anyways.
I've never like Microsoft's customer support or help. The help web page is terrible, and I totally agree with you there.
I also think using the same password on multiple sites is fine. Certainly easier to remember, in any case, unless you write down all your passwords. I think a solid non-guessable password is strong enough to prevent anyone from getting into any one of your accounts. If the person doesn't know you personally, then he/she probably won't know where you have other accounts, anyways.
I've never like Microsoft's customer support or help. The help web page is terrible, and I totally agree with you there.
#7
-
- Kontributors
-
- 101 posts
Advanced Member
- Gender:Male
- Location:<?php echo __FILE__; ?> in other words, right behind you.
- myCENT:50.57
Posted 16 April 2010 - 01:05 AM
anwiii, on Apr 15 2010, 07:36 PM, said:
actually, there is nothing wrong with changing paswords every week. let's get even more extreme and say that people should change them every day. fact is, you don't have to. i pointed out that the typical hacker uses programs to hack accounts so whether you change your password daily or weekly wont help. the most common hacker techniques right now are fishing sites. it's easy, and targets the gullible. although it is more secure when you can change your password daily or weekly or even monthly, you really have to have a balance and weigh the pros and cons. so this is why i personally suggest changing a password every 3-4 months because there is a balance to it. although still frequent considering most people never change their passwords, it's wont take 3 hours out of your precious day when you're paranoid about being hacked. saint michael give a good example of what you should input as a password so you don't have to change it as often.
i did read the articles and it just blows me away about the ignorance. they use an example of a thief who found your house key and would use it right away rather than wait until the locks have been changed. this is wrong thinking because typical hackers like to play and they like to play undetected so if a typical hacker hacks your account, he will be logging on and off your account several times for months if it goes undetected so the house and key theory is a mute point.
also, you are sorta contradicting yourself in what you wrote. at first, your talking about a more secure account by changing your password every week. then you state that using the same password for every site is ok(a more insecure technique for security). listen. now i will tell you something right now. that is just BAD advice and i will tell you why. if you use the same password for every site, then all your accounts are pretty much linked together by the same password. what this does for a hacker is make his job easier because once he gets in to one of your accounts, he can have easy access to all of them. also, if this happens where you have the same password and one of your accounts get hacked, it's harder for the real owner to start changing all the passwords all at once if he has caught the hacker in his tracks. if a person uses a different password for each account, then people can rest assured that one one of his accounts is really a threat instead of all of them and a hacker wont be able to access other accounts with the same password
so with that said, i offered a suggestion in changing passwords every 3-4 months for a balance of time, energy and security. it's good advice. but if someone wants to change their password daily/weekly/monthly, by all means, that is even safer.
but i do want to stress that a lot of hacking attempts do occur by people you know believe it or not and those people can be proved to be more dangerous than a typical hacker. they just have to look under stored passwords or look over your shoulder, or they have some idea of what passwords you would use.
internet security should be taken seriously. that's why i am shocked to see these titles of articles floating around. some of the best sites i have been on offer internet security to the end user to help prevent hackers by not allowing someone to log in if the recorded ip does not match. from there, it might ask you a series of security questions just to verify who you are.
and that's another thing. when choosing a security question and answer, make it a hard one that very few people know. even your own friends and family. it should be personal to YOU. if you have trouble picking one, and they are all simple security questions, what i tend to do is answer to oppossite of what the question is asking. so if it's asking where you went to high school, put in your jr. high. if it's asking your favorite pets name, type your pets name backwords. those are easy security questions to guess so you want to be creative in how you answer so nobody can figure them out if they are trying to hack your account....especially if they know you and know the answers to simple security questions.
and yes, saint michael gave good advice. use at least 10 characters in your password(the more the better) and use numbers, lower case letters, capitol letters, and symbols. this is the easiest way to protect all of your accounts but not the only ways.
i did read the articles and it just blows me away about the ignorance. they use an example of a thief who found your house key and would use it right away rather than wait until the locks have been changed. this is wrong thinking because typical hackers like to play and they like to play undetected so if a typical hacker hacks your account, he will be logging on and off your account several times for months if it goes undetected so the house and key theory is a mute point.
also, you are sorta contradicting yourself in what you wrote. at first, your talking about a more secure account by changing your password every week. then you state that using the same password for every site is ok(a more insecure technique for security). listen. now i will tell you something right now. that is just BAD advice and i will tell you why. if you use the same password for every site, then all your accounts are pretty much linked together by the same password. what this does for a hacker is make his job easier because once he gets in to one of your accounts, he can have easy access to all of them. also, if this happens where you have the same password and one of your accounts get hacked, it's harder for the real owner to start changing all the passwords all at once if he has caught the hacker in his tracks. if a person uses a different password for each account, then people can rest assured that one one of his accounts is really a threat instead of all of them and a hacker wont be able to access other accounts with the same password
so with that said, i offered a suggestion in changing passwords every 3-4 months for a balance of time, energy and security. it's good advice. but if someone wants to change their password daily/weekly/monthly, by all means, that is even safer.
but i do want to stress that a lot of hacking attempts do occur by people you know believe it or not and those people can be proved to be more dangerous than a typical hacker. they just have to look under stored passwords or look over your shoulder, or they have some idea of what passwords you would use.
internet security should be taken seriously. that's why i am shocked to see these titles of articles floating around. some of the best sites i have been on offer internet security to the end user to help prevent hackers by not allowing someone to log in if the recorded ip does not match. from there, it might ask you a series of security questions just to verify who you are.
and that's another thing. when choosing a security question and answer, make it a hard one that very few people know. even your own friends and family. it should be personal to YOU. if you have trouble picking one, and they are all simple security questions, what i tend to do is answer to oppossite of what the question is asking. so if it's asking where you went to high school, put in your jr. high. if it's asking your favorite pets name, type your pets name backwords. those are easy security questions to guess so you want to be creative in how you answer so nobody can figure them out if they are trying to hack your account....especially if they know you and know the answers to simple security questions.
and yes, saint michael gave good advice. use at least 10 characters in your password(the more the better) and use numbers, lower case letters, capitol letters, and symbols. this is the easiest way to protect all of your accounts but not the only ways.
Well, when I posted, I was kinda assuming you meant people who weren't gullible enough to fall for phishing scams. If a person is THAT incapable of spotting a scam, then changing passwords doesn't help whatsoever.
I realize I contradicted myself in my post, but it was purposeful. I wanted to bring in more perspectives of the case because I can see someone using those two arguments.
I completely agree with you about a moderation between changing passwords at given times and using hard-to-guess passwords.
I also DO use the same password for most sites, but I NEVER use the same username, if that's what you're berating me about
#8
-
- Kontributors
-
- 1,114 posts
Grand Imperial Poobah
- Gender:Male
- Location:Dubai
- myCENT:50.55
Posted 19 April 2010 - 08:29 AM
Changing passwords frequently would help in avoiding password attacks. An automated program that tries different passwords against a computer system would be harder if you change your password because by the time they figure out what your password is, you would have a different password.
Three months is a long time between password changes but if you cut down that time to once a month, it would help maintain security because with a whole month of computation is a pretty reasonable amount of time for cracking a password.
When somebody does see you typing a password, however, the only thing that you can do is to change your password much more frequently... like maybe twice a day? If they do manage to get into your account in the morning and think about all of the data that they want to get out of your account by the time they get back home, your password would have been changed and you've maintained the security of your account. The problem would be if they, however, change the password as soon as they get into your account, in which case you would have been locked out but as long as there's a password recovery mechanism that you can use, such as a forgot password email and the email account is not changeable by logging into your account or by sending a recovery code by SMS to your phone.
Three months is a long time between password changes but if you cut down that time to once a month, it would help maintain security because with a whole month of computation is a pretty reasonable amount of time for cracking a password.
When somebody does see you typing a password, however, the only thing that you can do is to change your password much more frequently... like maybe twice a day? If they do manage to get into your account in the morning and think about all of the data that they want to get out of your account by the time they get back home, your password would have been changed and you've maintained the security of your account. The problem would be if they, however, change the password as soon as they get into your account, in which case you would have been locked out but as long as there's a password recovery mechanism that you can use, such as a forgot password email and the email account is not changeable by logging into your account or by sending a recovery code by SMS to your phone.
Reply to this topic
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
