Chang­ing pass­words

Sun.Star Pampanga - - TOPSTORY! - ANDY UYBOCO

WHAT I re­ally hate about some bank­ing web­sites and a lot of govern­ment web­sites is their no­tion of in­ter­net se­cu­rity con­sists of forc­ing you to change your pass­words on a reg­u­lar ba­sis. I have never un­der­stood (and still don’t) why chang­ing pass­words will some­how make your lo­gin cre­den­tials more se­cure.

If you use a 5-digit num­ber as your pass­word, say 13092, then change it next month to 24583, then the month after that, to 98730, you have not in­creased your se­cu­rity one bit. The prob­a­bil­ity of guess­ing the pass­word is the same in each case — one in a hun­dred thou­sand or 0.001%. While that may seem to be difficult enough to break us­ing raw brain power, that is a triv­ial task for a com­puter, and it would take less than a se­cond to break the pass­word.

What peo­ple should be taught in­stead is how to make pass­words more se­cure by in­creas­ing its length, then com­bin­ing let­ters and special char­ac­ters. This greatly in­creases the com­plex­ity. If we were to change one of the pass­words above to some­thing like a82Bc9%7, it would now take the com­puter around 18 hours to crack it.

So the se­cret is not to keep forc­ing users to change pass­words (which is point­less), but to teach users to make se­cure pass­words in the first place. Then there would be no need to keep chang­ing them. In fact, forc­ing users to keep chang­ing pass­words would cause them to do one of two things — make a pass­word that’s easy to re­mem­ber and then to change only one thing about it, or to write down the cur­rent pass­word. Both prac­tices cer­tainly do not con­trib­ute to se­cu­rity in any pos­i­tive way.

Many web­sites have also now adopted the prac­tice of two-fac­tor au­then­ti­ca­tion. This can work in sev­eral ways. After en­ter­ing your pass­word, the web­site sends an­other code to your cell­phone via text and you have to en­ter this code in or­der to com­plete your lo­gin. That means that some­one who has hacked your pass­word will find that it is not enough to get into your ac­count as they would need to pos­sess your cell­phone as well.

It is good ad­vice, though, not to use the same pass­word in dif­fer­ent web­sites so that when one is hacked and the pass­words from that site is har­vested, it can­not be used to log in to a dif­fer­ent site.

I hope many pro­gram­mers for bank and govern­ment web­sites stop the prac­tice of ask­ing their users to keep chang­ing pass­words and adopt bet­ter prac­tices like the ones I men­tioned.

*Time and dif­fi­culty cal­cu­la­tion­swere­sourced from https:// www.grc.com/ haystack.htm, and as­sume an off­line ca­pa­bil­ity to try a bil­lion guesses per se­cond.

Newspapers in English

Newspapers from Philippines

© PressReader. All rights reserved.