Never Change Your Password

There were a couple of legitimate reasons for changing a password, assuming that a hacker can steal the password hash. However, if your browser alerts you when your password hash has been posted on the web (including the dark web), you only need to change it when that happens (google-chrome does that reporting).

For a stolen hash:

1. If the password was composed of characters from only one or two of the possible sets of characters (lower-case, upper-case, numeric digits, and symbols), a hacker can run a brute-force effort using only one of those sets at a time, then progress to two at a time. That takes far less time than a brute-force crack using characters from all four sets. “correcthorsebatterystaple” (an example above) uses only one set (lower-case), probably the first set a hacker would try.

2. For any hash, changing the password means all of the time the hacker spent on trying to match the old password hash is wasted. If you use all character sets in a password, and the password is long enough, that may take a hacker years, and if you change the password once year, you’ll always stay a step ahead.

If you expect havibeenpwned to alert you to your password being hacked before it is used, then you’re going to be sorely disappointed. I can speak of this from personal experience. Meanwhile, not all companies REALIZE that they’ve been breached for a long time in order to even report it, and many are not even doing their due diligence in reporting it at all. Then you have to consider that stolen passwords are not always, despite one commenter’s opinion, used immediately. They are often packaged and sold as password and credential lists on DW and BH forums, sometimes for years, and then used for credential stuffing.

If you’re going to advocate using a password manager, then there is absolutely no reason to suggest that you should avoid taking the three seconds it takes to generate a new password every-so-often. If you’re using easily-remembered passphrases… Where? Because pretty much 90% of the internet requires users to limit themselves to ridiculously small limits, and dumb requirements of including symbols.

Although Troy Hunt (owner of havibeenpwned) makes ever effort to contact sites that he has determined to have been compromised, he does not always rely on the company to admit to having been breached before updating his site to include such compromises. Rather, he hangs out on the dark web for information on breaches being posted for sale and reports form others, then accomplishes do-diligence to determine whether possible hoax of not. The FAQ on his site gives a lot more information concerning his methods and data.

I use 1Password. I have a rescue kit printed out and locked in a safe. It will let me or my wife or son get to the info if needed. Just getting my master password won’t give access unless you also have access to one of my devices. Setting up a new device requires the use of a secret key. As is appropriate my master password is unique, memorable, and not used anywhere else.

I have over 400 passwords stored. I challenge anybody to come up with a system to remember that many passwords that isn’t crackable given that one password of your “system” is compromised.

Wow—tons of comments about Glenn’s article in Hacker News.

https://news.ycombinator.com/item?id=30554714

I heard an interview once with someone who claimed to have invented the uppercase, lowercase, number and symbol formula and regretted it because there are only 10 numerals vs. 26 letters, and a similar limit applies to the easily typed symbols. Adding a random alphabetical letter to a password makes it harder to crack than adding a number.

He recommended long phrases of ordinary words instead. Length by itself he said was the surest deterrent.

@paulbrians, he’s certainly correct about a longer password being much better (the difficulty increases exponentiallyl with the length), but it’s far better to use all sets than to increase by one character.

Here’s a little gedankenexperiment:

You’re a hacker, and you have the collection of hash values for the users in a system. The cover the gamut of password choices, from lower-case-only words to randomized sequences of lower-case (LC), upper-case (UC), numeric (N), and symbols (S). Your goal is to crack as many passwords as possible, as quickly as possible. You don’t know which passwords use only a single set (eg, lower-case).

You start by a LC-only brute-force attack. After each hash calculation, you check to see if any of the hashes have that value. If they do, you have the password. Each one-character increase in password length increases the brute-force time by 26x, so a 10-character LC-only password costs 26^10 = 1.56e+12

You end by a LC/UC/N/S brute-force attack. If we limit S to the set of 94 printable ascii symbols (0x21-0x7e), each one-char increase in password length increases the brute-force time by (26 + 26 + 10 + 94)x = 156x, so a 10-character password using LC/UC/N/S costs 156^10 = 8.54e+21 tries. A system that could crack a 10-char LC-only password in 1 minute would take about 10 millenia to crack an LC/UC/N/S password of the same length.

So if a user has added that single LC character vs adding a single N character, it’s only true that it takes a lot longer to crack if the hacker knows which set that character belongs to. But you (as the hacker) don’t care, since you’re working on cracking all of the hashes simultaneously. The first successful password cracks you’ll get will be LC-only.

I tried Elcomsoft’s “password retrieval” product many years ago (when it was Russian-based), and it was pretty snappy at LC-only cracking. Now it’s available as a GPU-based product, so probably a lot quicker. Their patents (eg US Patent for Use of graphics processors as parallel math co-processors for password recovery Patent (Patent # 7,929,707 issued April 19, 2011) - Justia Patents Search) describe a method in which the CPU provides subsets of the total range of password possibilities to each of the GPUs, after which each GPU generates the hashes and checks them against the complete list of hashes … this is pretty much what I described above, but is a parallel-processing implementation (akin to bitcoin mining on GPUs)

I hesitate to use a password manager for several reasons. If I change my password on a website on my iMac, I assume the manager won’t also automatically remember the change on my iPad and my iPhone. Or do some manage to manage multiple devices?

Say I’m traveling and am forced to change my password using my iPhone—if it’s an automatically generated obscure string of characters there’s a good chance of losing all trace if it by the time I get home.

Or—suddenly my insurance company login stopped working so I thought I’d better check “I forgot my password” and set up a new login. But it turned out the problem wasn’t the password at all. Something they did to their pages made it stop working with Chrome. It does work with Safari. But Chrome’s memorized password was now different on the two browsers. There’s no way to retrieve the new password from Chrome and use it in Safari.

I like the option when I’m creating a new password of seeing what it is, but some hide it as I type and if I make a typo I won’t know it.

Password file is encrypted locally and stored on a mutually accessible cloud server.

Modern password managers use end-to-end encryption to synchronize your changes among devices. Chrome and Google don’t offer a “modern” password manager. Apple’s Passwords featured synchronized by iCloud Keychain, 1Password (either via Dropbox local sync or using its zero-knowledge website-based sync), and LastPass are all end-to-end encrypted.

There is a thread in Mac Power Users, too.

Personally, I do not change my passwords, but use a unique Hide My Email/strong password combination for each platform. Agreed with Glenn’s points.

Any time I see a web site with expiring passwords or “security” questions, it tells me the people behind it don’t know anything about real security. Unfortunately, this includes the California Franchise Tax Board, the agency which collects our income tax. Just a couple weeks ago I had to change my expired password. And, like you, I make up random answers to security questions and put them in 1Password. Yes, I was born on Callisto, why do you ask?

All of the current worth considering managers have apps for multiple platforms and sync between devices through either DropBox, iCloud, or their own cloud services so that changing the password on your Mac changes it on your iPad/iPhone as well.

Thanks for yet another great article, Glenn. I’m a staunch 1Password user, with a family subscription to encourage my family (wife, daughters, mother) to use it. They use it pretty well, not as much as I’d like, but far better than nothing.

To folks who create a password and then enter it into 1Password… I suggest using the feature where 1Password suggests a password on the spot on the signup page. Once you learn (learn = simply do) that, there really is no excuse for not using it to create and save unique and complex passwords you will never ever type or see again.

Glenn,

Thank you.

Now, if you could have a chat with our firm’s credit card company…

In January I spent 30 minutes on my own and 90 minutes on the phone with a rep trying to figure out why they would reject a password with no actual words in it by claiming it had them. And I have to go through this process every 60 days. I finally gave up this month and let Safari general the replacement password and saved it in my Keychain.

And, does anyone know why certain characters aren’t allowed in passwords (e.g. underscores or other option or shift-option characters)?

Cheers,
Jon

Related to encouraging poor passwords by expiring the password:

We just went through an issue with our Costco credit card which is serviced by Citibank. The credentials that worked a few weeks earlier were being rejected.

I reached customer support on the phone. I was advised to try a password reset. The password can be 8 - 64 characters so I generated a random 64 character password, The password reset wouldn’t complete.

Finally the customer service rep asks if I’m typing the password in and I say ‘no, it’s 64 characters’. I’m autofilling from the password manager or pasting. The rep says - ‘oh that’s not supported’ - for security. And there was a recent change made to essentially block autofill/paste on the password input - which is why my credentials stopped working. (The value of the input element changes so the autofill/paste appears to work but there is a shadow value.)

Like expiring passwords, blocking autofill/paste of passwords is counter-productive.

Additionally, although Citibank broke an existing workflow with no notice or explanation, the customer rep’s position was that I was doing something inherently insecure and unsupported and therefore it can’t be a bug and I can’t have an issue with the change. Hmmm.

Thanks for raising this issue. The longer term solution is to eliminate the password as much as possible. For example, when you sign up for an account your smartphone generates a private-public key pair and shares the public key with the server. To login, you authenticate to your smartphone using Face ID, and your smartphone uses the private key to prove it is the same smartphone that registered previously. There’s no password and no secrets are exchanged. There’s nothing to phish. Two factor authentication is accomplished by something you have (your smartphone), and something you are (Face ID). The underlying standard is called “FIDO” or “WebAuthn” and Apple released a technology preview at WWDC last year (Passkeys with iCloud Keychain). Enjoy!

But sometimes there are situations (such as being overseas) where you need to use a password away from your computer and its password manager.

Yes a password of the complete alphabet and in order is harder to crack than a 8 mixed character password.

Great article. From experience in a senior community i noticed that most are vunerable not thru poor passwords, but more mundane issues easily corrected. IMHO they include - A) use real name on computer. B) do not use separate admin account name- password C) connect printers with wi fi and not complete printer security setup (when some complained that their printed stuff wound up on a neighbors printer D) not securing their own wi fi router by not changing default passwords. E) only using their full name on email accounts.

All of which make them ’ soft’ targets for phishing. Simply using an ipad and Stumbler within 30 to 50 yards of most apartments or Fing or ??? can reveal way to much for most.

Perhaps a short article on ’ Security for Seniors ’ would be worthwhile. Sometimes the local facility IT types don’t really help much.
I’m not an ex-spurt on the issues- but have used a mac since 1980- spent over 5 years in the mid 80’s on a govt Special Access program ( had to change password every 60 days while using a NON internet computer system connected by fiber optics and other security features like lining up all CRT tubes in a column to prevent reading them from the parking lot ! )
So became very sensitized to hacking issues about 40 years ago. Plus using non id email names for some things like sandflower@xyz dot com so as not to be a soft target.

"Just cuz you are paranoid doesn’t mean someone is NOT out to get you " :))