Why frequent password changes only harms security

Frequent password changes as one of the most effective means of information protection. But not so simple as that firm. Why - read our article.

Surely you at least once to receive a notice by e-mail, in which you recommended to change password. As a rule, such messages come from e-mail services and corporate network managers once every six months. And here arises the choice to follow the advice of those "who know better", and change the password or ignore the requirement and leave it at that. In favor of the latter say the UK intelligence agencies, whose responsibilities include electronic intelligence and information protection of the army.

7 May, on the occasion of the International Day for the password, the representatives of one of the divisions of the Government Communications Headquarters United Kingdom (Government Communications Headquarters, GCHQ) have released an explanation why it is not necessary to change your password too often.

Typically, the security policy obliges us to use only

instagram viewer

complex passwordsWhich are hard to find and, therefore, to remember. Passwords should be as long and random as possible. Managing a pair of passwords we are quite capable, however, when the account goes on scores, the situation becomes uncontrollable.

Electronic Communications Security Group (Communications Electronics Security Group, CESG)

The situation is aggravated by the fact that we do not leave the right to continue using the old password, even if it meets the highest safety requirements. In this case, people do not philosophize slyly and comes not the most sensible way:

1. It creates a new password, slightly modifying the old one. Attackers can exploit this flaw. If they knew the previous password, then most likely it will not be difficult to pick up and a new one. Moreover, users often do forget the new password, and this entails inconvenience, loss of time and productivity.
2. It weakens the old combination. People consciously simplify your new password in order to properly pack them in your mind. Under the knife fall uppercase, special characters and numbers. Of course, from the user only loses.
3. Writes a new password on a paper and leaves it virtually free access. Naturally, this behavior is completely kills the whole point of the procedure.

"It is a paradox: the more we are forced to change their passwords, the more vulnerable we are exposed to. At first glance, it seems quite reasonable to change their passwords as often as possible, but practice shows that this is not true ", - concluded security experts.

Of course, after reading do not neglect all requests to change the password. For example, one can not ignore the major data breaches like the one that It happened 2013 c Adobe accounts. In such cases, will have to come up with a new password, and possibly make it out of Emoji: they say, So even safer.

In the comments to the original article, one reader suggested that government services specifically allowed like a duck, to lull the masses. The calculation is simple: already hacked accounts do not have to re-open (industrial scale, after all). Someone has supported this idea, well, someone advised alarmist take a pill from the universal conspiracy.

What do you think about whether to change the password if it is reliable and there is no evidence of unauthorized access to your account?