The Daily Static
  The Daily Static
UF Archives
Register
UF Membership
Ad Free Site
Postcards
Community
Geekfinder
UFie Gear
Advertise on UF
Forum Rules
& FAQ

Username

Password


Create a New Account

  
 

Back to UserFriendly Strip Comments Index
Topic for debate: changing passwords by nix 2005-05-16 11:03:40
It is frequently reccomended that people change their passwords periodically for security reasons. Some systems even force users to change their passwords at fixed intervals.

Now, what benefit does changing passwords give? Obviously, if a user knows/suspects that someone has acquired its password, then a password change will lock out the intruder. However, a clever intruder could have used that access to trojan the system, making the password change irrelevant. This is especially true for root-level accounts.

The only other reason for changing passwords would be to make guessing harder. If an attacker is trying to determine a password with a brute-force attack (using a dictionary, a random string generator, or whatever), then it can expect to find the password after exhausting 1/2 of its search space. Since the user has no way of knowing in what order the attacker is processing the search space, changing passwords might increase the search distance between the password and the attacker's current search point, but has an equal change of decreasing it. Thus, there is no net benefit.

If a user knowns when an attacker started a brute-force attack, and at what rate it is progressing, then there may be some benefit to changing passwords. If the search order is known, then changing the password to something already tested is beneficial, as the attacker will not find the password on the current brute-force run. If the search order is not known, then changing the password after K% of the search space has been processed will reduce the attacker's chances of finding the password to 100-K%, assuming that the attacker hasn't found it already. Since the attacker has a K% chance of already having found it before the change, this isn't a very good defense, but it is something.

However, in real life, no user is going to know when a brute force attack begins or the search rate. If you assumed that the attack began before it did, the benefit to the user is reduced. If you do know the search order, you could actually tip the chances in the attacker's favour. If the attack hasn't started yet, then the benefit is zero. If you assume that the attack began after it did, then changing the password also reduces the benefit to the user, because the chance that the attacker already has the password is increased.

So, without accurate knowledge of when the attacker started and how quickly it is searching, the actual benefit of changing passwords is minimal. Of course, if the attacker knows that you're going to do this, then it can adapt its search method to compensate. Then, the user could adapt its prediction model accordingly. The whole thing reduces to an exercise in game theory.

Or did I miss something? Discuss.
[ Reply ]
  One reason that I can think of in favor by merlin2005-05-16 11:08:32
    hmm by unjust2005-05-16 11:36:52
  For me, it's just an inconvenience. by Feng_Li2005-05-16 11:09:34
  AFAIK it is to ensure that no overlooked by Peace_man2005-05-16 11:13:04
    still missing it by unjust2005-05-16 11:38:27
      It is not the only necessary part of security. by Peace_man2005-05-16 12:45:48
    frequent password changes increase the probability by raptor_872005-05-16 12:08:13
      This isn't always a bad thing. by Didactylos2005-05-16 12:22:53
      Yep, and so does mandated complexity. by Peace_man2005-05-16 12:44:14
      There are some companies where a written-down --- by jayfarm2005-05-16 13:15:05
        Actually, what you would get is... by Peace_man2005-05-16 15:29:24
          Uhm, not really - Internal calls are easy to -- by jayfarm2005-05-16 22:17:50
  My understanding by psychoi3oy2005-05-16 11:15:16
    If the attacker stole your password file once by nix2005-05-16 11:44:26
    Rest of my response by nix2005-05-16 12:15:31
      This is why security has to be multi-layered. by Didactylos2005-05-16 12:37:22
  Part of it by Didactylos2005-05-16 11:25:58
    why? by unjust2005-05-16 11:41:52
      Strong passwords take years to break. by Didactylos2005-05-16 12:16:44
        yes, but you only have to get the right one by unjust2005-05-16 13:11:55
          Because randomization is harder to write. by jayfarm2005-05-16 13:17:43
            Random guessing by nix2005-05-16 13:42:57
  I don't think the benefit of changing passwords by Peace_man2005-05-16 11:29:53
    So, how soon can you break a password? by Didactylos2005-05-16 11:50:42
      You're assuming 64-bit passwords, correct? by nix2005-05-16 12:32:33
        Sadly, your research by Didactylos2005-05-16 12:55:22
          I take it that you use a non-US keyboard layout? by nix2005-05-16 13:35:15
  incidentally i'm just followign the train of by unjust2005-05-16 11:43:23
  It's to protect against "user vulnerability", etc by jayfarm2005-05-16 11:57:13

 

[Todays Cartoon Discussion] [News Index]

Come get yer ARS (Account Registration System) Source Code here!
All images, characters, content and text are copyrighted and trademarks of J.D. Frazer except where other ownership applies. Don't do bad things, we have lawyers.
UserFriendly.Org and its operators are not liable for comments or content posted by its visitors, and will cheerfully assist the lawful authorities in hunting down script-kiddies, spammers and other net scum. And if you're really bad, we'll call your mom. (We're not kidding, we've done it before.)