Is it actually good practice to change passwords regularly?

There are a lot of misconceptions about passwords and what makes a good password such as complexity, length, special characters etc.
I've learned a lot in the forums and have another question.

Is changing your passwords regularly another good practice for security or another myth?

Should I be changing them regularly even if they're already randomly-generated and are very strong or not? If not, then why is there a 3 month, 6 month, etc field on the security audit section. It gives me the impression that I should be changing them every 3 months or so.

Should these practices be applied to changing my master password and secret key as well?

Thanks,

Ali

Bonus question: Would a 70 bit password generated by your word generator and a 70 bit character generated (random gibberish) be equally secure in terms of safety? Both are the exact same entropy but I always feel insecure because it's real words, I don't know maybe it's just me. I always thought a dictionary attack could get it or something. For my apple password I really would prefer a word-based one as I have to type it sometime regularly and even though it's maxed out on the green bar I'm wary of its strength vs a character-based password of the same strength.


1Password Version: iOS - 6.9/macOS - 6.8.2
Extension Version: 4.6.11
OS Version: iOS 11/macOS 10.12.6
Sync Type: 1Password

Comments

  • Is changing your passwords regularly another good practice for security or another myth?

    The guy who apparently "invented" this regrets it:

    https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity

  • Thanks for the link!

    But the reason being is because it forced people to use predictable passwords, like changing from password1 to password2 after 90 days. I used to do that at work before password managers.

    But what if I could make each password strong every 90 days, would it be worth it then?

  • I think people have second thoughts about word lists too, but if you combine them with something random they are stronger. Assuming use a different decent password at every site, changing them regularly pretty much protects you from being unknowingly hacked. Bruce forcing a website over http would take forever even if the owners weren’t paying attention.... but if they managed to spill the database, then I guess you’re theoretically they could get into your account whenever they wanted. If you change your password and the site still hacked, they get the new one so still an issue.

    So I think it’s really good question. Right now it seems like once you have a good password you might not ever need to change it unless you need to strengthen it. Based on the above assumptions I’m really worried about having a good password on the password manager but just a complex password elsewhere like gmail. Banks, max out for obvious reasons but without 2fa I imagine They suffer from the same issue in the first paragraph (btw, all my comments assume a different password everywhere, if there is reuse, then yes, change is necessary, exposing one leaves other sites exposed. If they do a lookup of users at other sites based on your login, they could get in if it is the same).

    Not a sec professional, just thinking out loud pros and cons.

  • LarsLars Junior Member

    Team Member
    edited September 2017

    Nice conversation, guys! I can answer one of @AskAli's questions definitively -- the reason the age of passwords fields exist in 1Password for Mac is because some users requested it. Of course, we don't grant all requests, because some are actually not great ideas from a security standpoint, and despite how many times we say things like "added your vote" or "we'll let the developers know," this actually isn't a straight-up democracy. We DO listen to users, and are grateful for every bit of feedback, suggestion or even complaint we receive. All of it helps us to be more attentive and historically, some really great ideas have come from our user-base. In our opinion, anyone who takes the time to bother sharing their thoughts with us should be listened to, even if we wind up disagreeing with their perspective.

    So, because we didn't see any harm in it, and because some users really wanted it, we created the password-age portion of Security Audit. I wouldn't say we have an Official AgileBits-Approved Position™ on this, but in general many of us feel much as you do, @AlwaysSortaCurious - if you created a strong, unique password for a site, and you've no company-mandated policy of changing passwords, and the site in question has not experienced a breach...then there's a lot less argument for changing your password. A good strong password is a good strong password.

    That said, some would argue that we don't always learn about breaches in a timely manner -- or sometimes, at all! -- so periodic password updating can be a good thing. Me, I've got waaaay too many logins saved in 1Password for me to want to go through the trouble of changing all of them out every so often just as a precaution. I pay far more attention to Watchtower (as well as to sites like Troy Hunt's Have I Been Pwned? than I do to the age of my passwords as reported by Security Audit. However, your mileage may vary, and that's ultimately the reason the password-age feature was included in 1Password for Mac's Security Audit: you want to check/act on that information, you can!

  • Penelope PitstopPenelope Pitstop Junior Member

    The UK's National Cyber Security Centre and NIST Guidelines SP 800-63B 5.1.1.2 advise against it and provide other guidance.

  • LarsLars Junior Member

    Team Member

    The advice and links from @Penelope Pitstop are spot-on, @AskAli -- though it's good to remember this was the same NIST that under Bill Burr's byline in 2003 published password guidelines it now regrets and has disavowed. I'm not at all saying "never listen to NIST." Just the opposite, in fact -- they are an excellent source for advice and standards on such things. However, the landscape changes regularly, if not continually, and it's good to check a multitude of sources against one another before making your own, informed decision on such things.

  • Penelope PitstopPenelope Pitstop Junior Member
    edited October 2017

    Bruce Schneier just posted similar information with more informative links that discuss the evolution of rationale @Lars refers to.

  • LarsLars Junior Member

    Team Member

    Thanks, @Penelope Pitstop - always good to get some additional reading on the subject, and Schneier's a great source.

  • :+1::) Appreciate the update.

  • brentybrenty

    Team Member

    Totally!

    I also wanted to add that, while certainly there will be different considerations depending on the context, there's a pretty good rule of thumb here:

    If you cannot gain a security benefit from changing a password, it does not need to be changed.

    If your password is as strong as it can be (randomly generated, max length, all allow characters, etc.), you only ever need to change it if 1) it's been reused somewhere else or 2) it's been compromised.

    Certainly there's some wiggle room there, since we may not always have proof that a password has been compromised. So if there's reason to believe it has, better safe than sorry. But a 20-character (this is the limit with one of my banks), randomly-generated password using all available symbols that I generated two years ago will be no weaker (or stronger) than one I generate today using those same criteria.

    As far as word- versus character-based, the closest comparison I've found is the following:

    The word list, at present, has over 18k items, giving you roughly 14 bits per word. So a four word pass phrase is 56 bits. Not bad! But when we compare it to a character-based password, we can get more entropy with a much shorter length:

    31 symbols
    !"#$%&'()*+,-./\:;[email protected][]^_`{|}~><
    10 digits
    26 capital letters
    26 lowercase letters
    = 93 characters total

    log2(93) = 6.5391588111 <- bits of entropy per character
    6.5391588111(9) <- length of password
    = 58.85242929 <- bits of entropy total

    So a nine character password edges out four words. But, to be fair, this is using a lot of characters which may or may not be allowed in any given password. So to level the playing field a bit, let's use only lowercase letters to compare both word- and character-based:

    log2(26) = 4.7004397181 <- bits of entropy per character
    4.7004397181(12) <- length of password
    = 56.40527664 <- bits of entropy total

    So in the extreme case where we're constrained to only lowercase letters, 12 characters versus 4 words is a close comparison.

    At the end of the day a character-based password will have more entropy than a word-based password of the same length, so in cases where length is constrained (i.e. pretty much always) a character-based password will always be stronger. But certainly word-based passwords can be more than strong enough too, and given particular use cases (entering Wi-Fi password on a "smart" TV — ugh!) there's a good argument to be made for using those for less-sensitive things. Cheers! :)

  • That's always the head scratcher for me, really, depending on the type of attack. After all the different techniques, key guessing, dictionary, character substitution (leet and whatnot), common prefixes and suffixes, Markov chains, and god knows what else, once it devolves into something pure brute force. Keep in mind, pure brute force, longer is just better. You have to survive the above first, but once it is a pure brute force attempt, e.g., $%^(&(&(bbbbbbbbbbbb is stronger than $%^(&(&(bbbbbbbbbbb (one character less) even though most of the characters repeat. So entropy aside, a nine-character password with higher entropy is weaker than 4 dice words, if the dice words survive to the brute force phase. Entropy helps you survive to that phase I guess. Or at least, that's what I suspect!

  • brentybrenty

    Team Member

    Indeed. Having a strong password generated completely at random by 1Password means that brute force will be necessary, and brute force attacks against 1Password data are significantly hampered by PBKDF2 iterations — which is in contrast to websites that can't reasonably do this for performance reasons, and often shy away from throttling and lockout to avoid inconveniencing their users. Anyway, entropy is awesome. :sunglasses:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file