Monday, 30 December 2019

The changing password

As insecure as this is, at work I used to keep a diary with a dozen passwords in the back which I rotated each month as my password expired. Again. And again. Then Microsoft made my life more complicated by requiring capital letters and stupid symbols to be included in my passwords. I changed my dozen passwords to include that idiocy (which is now a debunked security measure, thank goodness; Xavier, 4 January 2019). Worse, more lately Microsoft has refused to let me reuse a password which I have used before. Sigh. As a result I have had to keep a list of all the passwords I'd used, so that when I proposed a new one, I didn't get told I'd already used it. 

I still had to find a way to record my passwords, because I couldn't remember them otherwise. Even more insecure, I needed a way of carrying my passwords with me, so that I could access things from my phone, from my laptop, and from my PC. I have no idea how many times I've forgotten a password, and had to have it reset, for any number of sites.

I do at least, have different password that every single site that I access. This was largely because I suspected I may have been hacked last year: and many of the low risk sites I accessed used the same password. Now I use a variety of password lengths, and every single one is different. I am starting to think that I need to use a password manager, as it becomes very difficult to remember what belongs with what site. where I live does not lend itself to two factor identification, due to dodgy connectivity.

And then, earlier this year, I read a post on TechRepublic about Microsoft no longer requiring users to regularly change passwords (Bayern, 6 June 2019). Wow: now that will be a major removal of stress. But it will require us to set good passwords. And good password is long. LONG.

A sentence, perhaps.

If there is a security breach and passwords are stolen, then we need to change our passwords. If there is no security breach, then there is no reason to create change, simply for change's sake... particularly when we then do things which void any security we may have had. Like writing passwords down, and leaving that list on our desks.

The reasons that Microsoft gave for no longer requiring this was productivity. Apparently three quarters of customers said they found the number of passwords they had to remember was stressful, so they either only slightly changed passwords, or they changed them and forgot them. To prevent a loss of productivity from forever having to remember our access codes, we write our passwords down, and leave that somewhere convenient (just as I have done in the past). 

TechRepublic quotes Avivah Litan, who says that removing password expiry is "a feasible and very welcome plan. Forcing users to change their passwords periodically works against security—it means consumers have to write them down to remember them and it does nothing to stop hackers from stealing current passwords," continuing with "Hackers generally use stolen passwords very quickly, and password complexity does little to prevent use of stolen passwords either, since hackers can just as easily capture or steal a complex password as they can a simple one."

However, it does mean that we have to take action quickly in the case of a data breach. but we don't have to worry until that happens.

Excellent.


Sam

References:

No comments :

Post a comment

Thanks for your feedback. The elves will post it shortly.