We often find people giving advice to ‘change passwords regularly’ to save themselves from complications arising from the data breach. But how effective is it and should you really be doing this? Paul Ducklin, the Principal Research Scientist, Sophos sheds some light on the matter and shares some tips regarding password and account safety.
Changing the password frequently is said to reduce the length of time you’d be exposed if your password were breached, thus making you safer. However, this became known in the jargon as password rotation, which is exactly what it turned into, where users simply cycled through a list of passwords they’d used before, Ducklin said.
While most apps insist that your new password shouldn’t be the same as the old one, Ducklin said that users quickly learned how to get away with few different passwords for each app or service by making some tiny differences that still count as changes.
When should you change your password?
Ducklin is not suggesting that password changes are not beneficial but he insists that users should only change passwords when there is a reason to do. “By all means, change your passwords whenever you like if you want to – and if you use a password manager, it’s easy to do just that,” he said.
“But the only time you should feel compelled to change a password is when there is a clear and obvious reason to do so, and that’s if you think – or, worse still, know – that it might have been compromised,” he added.
Ducklin said that fortunately, in many or most recent data breaches where authentication data got stolen, the crooks didn’t end up with your actual password along with your login name. He said that passwords usually are stored in a hashed form, which requires the crooks to first crack your password by trying a long list of guesses until they find one that matches your password hash.
“Simply put, the longer and more complex your password, the longer it will take for the crooks to crack it,” he said. “They try the most obvious passwords first, so 123456 will probably be the very first one they try for each user; Pa55word! might be the 100,000th on their list; but they are unlikely to get round to trying VFRHFMNOLR5LAIVGDOW5UZRT for days, or months, or even years.”
“In other words, if a service provider notifies you that your password hash was acquired by crooks, you’ll nevertheless remain safe if you change your password before the crooks get round to cracking it. Even if the breach happened weeks or months ago, you’ve probably still in a good position to beat the crooks to it, assuming you chose wisely in the first place – and if you use a password manager, it’s easy to do just that.”
Don’t forget to reset password when breach happens
According to Ducklin, a paper that came out from Carnegie Mellon University in the US — titled (How) Do People Change Their Passwords After a Breach? — suggests that a lot of us aren’t quick at changing our password even after being notified that their passwords were compromised.
The Principal Research Scientists at Sophos recommends not to delay the password reset process when there’s a valid reason to change it. Ducklin also advised against taking shortcuts. “Crooks will spot any tricks or patterns you use in order to make your passwords different yet similar enough to remember easily. If you have u64b2vqtn5-fb for Facebook and u64b2vqtn5-tw for Twitter, the crooks will figure out the rest of your passwords with ease,” he said.
Express Tech is now on Telegram. Click here to join our channel (@expresstechnology) and stay updated with the latest tech news
“Don’t think you’re invincible. The crooks probably won’t crack your password if it’s 6GHENBIZMX3TTUHJTPQZTEKM, but why take the risk that they might?” Ducklin said. He also advised using the two-factor authentication as only a second factor and not an excuse to use a trivial password or to the same password everywhere.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines