Friday, May 8, 2015

When Should You Change Your Password?

May 7th is known as Password Day on the Internet.  The annual event is used to draw attention to common password problems and offer tips to people for choosing and managing passwords better.  Found among this advice is guidance to change your passwords on this day, or to at least change them regularly. Unfortunately, this practice it isn't as clearly beneficial as those offering it might hope.

The reality is that we security professionals have been advocating regular password changes, and sometimes forcing users to comply, for decades with very little evidence that it is useful.  The only reason to change a password is if we know an attacker has obtained it or if we suspect this is likely.  We simply don’t have data that shows regular password changes do make an impact on the problem of password theft.

I gave a presentation on password expiration for a technical audience at PasswordsCon last year, but it didn't address the challenge from a user's point of view.  So, I wrote this related article for the average Internet user, and not only technology or security industry veterans.

With that background, here are the questions I would ask yourself before changing your passwords.  I've listed these from the most important questions to the least important.

Has a company told you that they've had a security breach and recommended you change your password?

Usually responsible companies will alert users if they have suffered a security intrusion that put user passwords at risk.  This alert will hopefully come in the form of an email or letter to you, but might also show up as an notification when you log into their site.  Some sites force you to change your password following a breach, while others simply recommend you change it and leave that decision up to you.

On some sites your stolen password may be cryptographically protected, but this may only buy you a few days or weeks following a breach before attackers can 'crack' them and start using your account.  I recommend quickly changing your password in any situation where you've been alerted there was a security breach.

If you have used this same compromised password on other sites you should also change those passwords to a new value since some attackers will try to use your credentials everywhere they can.

Have you noticed suspicious account activity on a site?

Sometimes noticing suspicious activity with your account on a site is easy.  If you see posts on your Facebook account that you didn't make, that’s a pretty good sign something is wrong.  Likewise, unfamiliar purchases or other financial transactions on an account is a red flag.

But other times there may be more subtle clues that you’ll have to search for.  Are messages marked as read when you haven’t reviewed them?  Was the last account login time recorded when you weren't using your account?  Has your email address, phone number, or home address been updated to an unfamiliar value?

Some sites are very good about helping you notice unusual behavior, such as when someone logs into your account from a new computer or device.  These companies might send you an email to alert you of this behavior or of sensitive changes to your account.  While scammers sometimes fake these emails in ‘phishing’ attacks, you can often avoid clicking links in suspicious emails and log directly into the site to see if the warning is legitimate.

If you see reasonable signs that someone else has been using your account then this is also a good time to change your password.

Have you logged in from a shared computer or had a virus since your last password change?

Shared computers are the type you might find in a library, school, Internet/gaming cafe, or hotel.  They aren't owned by you and they typically don’t offer much reassurance that they are secure against malicious tampering.  An attacker can install software to capture any passwords you type while on the computer, and then use that information to later impersonate you.

If you want to log into a site while on a shared computers then consider changing any passwords you used once you are back on a trusted computer or mobile device.  Otherwise you might want to avoid shared computer use altogether since there’s a chance an attacker can carry out their crimes before you have time to change passwords.

If your computer or mobile device has been infected with a virus or other malware there’s also a good chance your passwords were captured during the infection.  Once you are certain that the malicious software has been removed you should consider changing any passwords that were exposed.  If you still have malicious software on your computer then simply changing your password may not help. The criminals will be able to capture your new password when you type it in and they can continue to misuse it.

If you aren't sure how long your computer was infected, and thereby what passwords are at risk, it might make sense to change the passwords of your most valuable accounts first and monitor your less valuable accounts for any sign of suspicious activity, changing more passwords as necessary.

Have you shared a password with someone who you no longer trust or who you may have trusted too much?

While you generally shouldn't make a practice of sharing your passwords, there are times where you probably will.  Maybe a significant other needs to read important messages for you while you’re out, or you share an account for a service that the whole family uses.

Problems with this habit tend to arise when either a breakup or other relationship distress occurs that changes how much you can continue trusting the person with your password.  Amidst the usual stress of these events it is still important to take the time to think about what accounts are now exposed to potential abuse and to make password changes where needed.  Even if you part on good terms, it can still be a good idea to remove the possibility of someone’s curiosity or jealousy later tempting them to get into your accounts.

Other situations you should be careful with are people who ask for your password with seemingly legitimate motives that you later begin to distrust.  For example, maybe you get a phone call from someone representing a company that claims to be fixing a problem for you but needs your password.  Or maybe a coworker or fellow student is working on a project with you and needs your password to access shared information.

In these situations you might comply with the request initially and realize after the fact that it probably wasn't a good idea.  Change these passwords and think about how to avoid these situations in the future.

Have you used this same password on another site that is much less valuable?

Another common password recommendation is that you use a unique password for every site you log into.  This recommendation it is very helpful in limiting abuse of your accounts if you choose to follow it.  However, many people share passwords between at least some of their accounts to ease the burden of memorizing a long list of secrets.

If you've chosen to share some passwords then I recommended using unique passwords for your most important accounts (banking, medical, email), and only sharing passwords for less important sites. For example, you may choose to have the same password for Facebook and Twitter if it doesn't bother you than an attacker may be able to get into both accounts without additional effort on their part.  You might also share a single password between all news or entertainment sites you visit if you don’t have any financial info tied to them.

What you should avoid is using the same password for an important site (e.g. your bank) and a less important site that may not do a good job protecting your account.  Sites that don’t deal with sensitive info typically have less comprehensive security, which can leave them more susceptible to hacking.  If an attacker steals your password from one of these sites you want to prevent them from getting into your other accounts that do contain sensitive data.

So if you've shared a password between accounts like this you probably should change the password of the more important site to something unique.

Has it been a few years since you've last changed your password?

Finally, after reviewing all these other factors, you can consider how long it has been since you last changed a particular password.  This acts as a catch-all in case you didn't notice suspicious activity, didn't remember sharing a password, didn't know you were infected with a virus, etc.

The only problem with this approach is that we don’t know how often changing a password simply based on its age is actually useful.  We have no idea whether changing a password every 6 months prevents enough hacking to justify that time frame compared to changing it every year.  Our industry has adopted guidelines, mainly for corporate passwords, but these are founded in habit rather than careful scientific reason.

So I won’t pretend that there is a lot of value in setting an arbitrary date on when a password should be changed.  If it makes you feel better to change them every few years, and you don’t mind the work, then go ahead and do it.  If you don’t want to change them regularly, and aren't required to, then I would focus that energy on running through the above questions on a regular basis.  In the long run this latter practice will probably prove to be more valuable to you.

So you've decided to change a password

To make changing your password worthwhile your new one should be something unrelated to the previous password value.  Going from “Muffins14” to “Muffins15” probably won’t protect you from an attacker committed to accessing to your account.

I would also strongly recommend that you take this opportunity to start using a password manager if you aren't already.  Password managers act as a backup to your memory so you feel more comfortable choosing better passwords and changing them as needed.  Some password managers can even supply your password automatically to the sites you log into, removing the burden on your memory entirely.

Here are a few of the more popular password managers:

Free versions:

Paid versions:

While you are changing your passwords look in your account settings for two-factor authentication (2FA), or any multi-factor authentication (MFA) support on the site that you may not yet be using.  MFA adds another layer of account protection, usually in the form of a one-time code texted to you, a pop-up alert on your phone, or other mechanism designed to supplement the security of passwords.  These mechanisms add another hurdle for attackers to overcome before gaining access to your account, and have the side benefit of rendering regular password changes even less necessary.

More and more sites are starting to support MFA to protect accounts, and I would encourage you to try it out and take advantage of the added security.  

No comments: