this post was submitted on 19 Dec 2023
1011 points (99.1% liked)
xkcd
8968 readers
74 users here now
A community for a webcomic of romance, sarcasm, math, and language.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Are you really supposed to change your passwords every 30 days?
No. Make sure your password is memorable to you, and long without being easily guessed. The more secure the initial password, the longer you can go without switching. The more memorable the initial password, the longer you can go without using password recovery.
If your passwords are safety critical, they should not be written anywhere, making remembering them key.
This assumes you're not using two factor authentication of course. With 2FA, your password security (not strength, that's different but very related) is less important. Security requires the vector of attack to be small, so having a bunch of accounts with the same password decreases the security (but not strength) of your password.
Requiring frequent changes to passwords on average causes less secure and less strong passwords to be used, and causes the lost password recovery to be more frequently used, which is, in and of itself, a vector of vulnerability.
Except nobody is out there guessing passwords. That's a flawed basis and advice that was outdated a decade ago. They're pulling them from site breaches and brute forcing dictionary attacks with bot nets. The best thing the average person can do now is a locked file to store their passwords. The password on that is a unique easily memorable thing and everything else can be gobbledygook because you have a reference. And yes unencrypted but locked files aren't a big block to a hacker in your computer. But the average person isn't facing that problem.
And if you're not an average person then you should be using a physical 2fa device on the principle that even if it's stolen, they would still need to gain physical access to the computer.
The one thing you shouldn't do is use a 24 character hash on every site and leave it for a year because it's "hard to guess". It will get breached and decrypted well before then.
The recommendation is every six months. But that's based on companies faithfully reporting breaches to everyone right away. Which they haven't been. You could probably leave sites that aren't hooked to a payment for every six months, but email, bank, and anything that has payment details should be changed more often.