Friday, June 22, 2007

"Change Your Password!" or Not?

Today I came across an article at the "Daily Cup of Tech" blog where the author urges you to frequently (every month or two) change your password(s). At first this may seem like a really good idea but I'll have to disagree. First of all let me point out some other password-related security guidelines.

One should never use the same password in all of his accounts. Should one of them be compromised, he is totally helpless. For example your password to a forum should never be the same as the password in the e-mail address you have provided during registration. Most people have two or three passwords and use one of them for their "most-secure" accounts, the second one for their e-mails and the third for every other "low-security" case. I'm not necessarily saying that's the best one can do. Also, passwords should be hard to guess (and therefore hard to remember). So a totally random combination of letters, numbers and symbols, longer or equal to 8 characters is a nice choice.

Let's get back to the article. Having at least three totally random passwords like "C9U6h#*U" or "swa!Es7u" is already a hard thing to do. Frequently changing them and therefore memorizing them every month or so is something nearly impossible for the average user. Too much effort can push one into writing down the password or storing in somewhere like on his cell phone. This is far worse than keeping the same password for a long time.

In my opinion, a secure-enough password is not in any danger from contemporary password-guessing techniques. The only way it can be compromised is if transmitted over an insecure medium, like a non-SSL HTTP session.