Passwords: How Often?

In recent news, people are being to change their passwords because of a flaw in program that makes internet connection secure, OpenSSL.  There is a lot of material out on how this system worked and how hackers exploited this flaw, so I am not going to rehash material that is already out there.

Instead, I want to focus on passwords themselves. In earlier blogs, I explained ways of how to create more secure passwords, rational why you should use a different password for each account, and the advantages of using a password vault. However, I never visited the subject of how often you should change a password.

If you have a Microsoft live account, you may have noticed that they have an option a checkbox you can click to make you change your password every 72 days. If you work for a company where you have to sign-in or log-on your work computer, you might have to change your password at least every 3 months.

The reason for changing your password from time to time is to close a security hole if your password in cases where your password had been compromised. Essentially your password is a key to unlocking access to your account, like a key to your home. If someone has a copy of your key, he/she can enter your house at any time. They can choose to trash your home, steal your valuables, or collect information about you. Likewise, if someone has your password, they can damage files on your compute, steal funds from your accounts, or collect information on you and your business.

Changing your password is like changing your locks. This way if someone is getting access because someone has a key, changing the lock takes away the ability to use that key. The important thing is when you change your password is that you do not use a similar password. For example, many people will use something like “ruMpl_stilskin!” and then change it to “ruMpl_stilskin!1” and then later to “ruMpl_stilskin!2”. A smart hacker will always check for those variations.  (Side note: the same is true for home locks. If your lock has a similar pin configuration aka key cut as your old lock, a thief can use a technique that will make your old key work in the new lock.)

Ok, so changing your password is a good thing, but how often should you do it? My rule of thumb, the more important the information, the more often you should change it. Does that mean you go crazy and change it daily? In my opinion, if it is that important that you need to change it daily, you should really look at a different way to store the information. In most cases, I think every 30 to 60 days is a reasonable timeframe. Again, if they are more sensitive, you should change them more frequently. I also should stress, you need to change every account periodically, even those with little information you need to keep secure.

There are times when you need to change your all of your passwords immediately; in anywhere are least one of your passwords has been or may have been compromised.  The reason being that if the hacker had access to one account, he/she may have been able to collect information related to your other passwords.

Well, I am off to change my passwords yet again….

KeePass – Free & Easy Password Protection

KeePass Logo
KeePass Logo

If you have an online account, most likely you have to have a password to access that account. The trick is how do you create a password that is easy to remember, but not easy for someone else to guess?

Some of us have used important dates in our lives, maiden names, names of our kids, phone numbers, street addresses, or things like password123, letmein, or 1234. Unfortunately, in this age, it is easy for criminals find all this information, and they know to try to words like ‘password’ or ‘letmein.’ Thanks to social media, and public access to many records, it doesn’t take long to search out maiden names, birthdates, anniversaries, etc.

So we are then forced to come up with complicated passwords such as r9G3jc9vVnw23da3. Unfortunately, this random password is a challenge to remember. So we write it down and hide it under our keyboards or in a nearby desk drawer.

Unfortunately, criminals know about our inability to remember passwords and our need to write them down and have them handy. So they will take the time to look under keyboards and in desk drawers to find them.

While this is an aside from the purpose of this article, I want to share a true story with you. I had a coworker who kept her password list on her desk. She told me that because she had about 16 potential passwords written on list, someone wanting to get on her computer would have a hard time guessing her password. I looked and her list and then entered on of the passwords on her list. It immediately opened her computer and I had complete access to her files.

So what is a person to do? My recommendation is get yourself a password vault like KeePass. While you can buy a password vault from a commercial company, KeePass is a popularly recommended password vault that is absolutely free.

What a password vault does is it securely stores your passwords in an encrypted format. These means, unless you are the NSA or have access to sophisticated computer hardware, the passwords cannot be unencrypted unless you have the password for the vault.

To use the KeePass vault, you first create a data file that can be stored on your computer, a flash drive, or even on a cloud drive such a Dropbox. Then you assign a key password for that file. Without this password, you will not be able to access the vault file. So if you forget it, all your passwords will be lost to you. There is no reset option for the vault password.

There is another risk with using a password vault. If your vault password falls into the wrong hands, the will have access to all the passwords you have stored in the vault. So make sure if you write down your password, you keep it in a safe place far from your computer. You will also have to make the password that is hard to guess.

Once you pick a good password, can enter the information about the web account and have the have the program generate a random password for you. Then cut and password into the password entry field of the account when you create the web account or into the password field after you go through the steps to change your password for that account.

If you have a hard time remember complicated passwords, try KeePass. For more information visit  http://keepass.info/help/base/index.html and http://keepass.info/screenshots.html