4409 days old password?

Yeah mine was something random like 2436 days. Should probably be changing passwords much more frequently!

agrinnall wrote: »

How is it random? Given that you've been on the site for almost 7 years then that seems to be the correct number of days since you last changed your password (assuming that, like me, you've never changed it).

Yes - I didn't mean completely random, just that it wasn't a set password expiry period such as 30 or 90 days. Pretty much all my work related passwords have such a policy along with various rules on length, use of non-standard characters, not using a password that has been used before etc etc.

I'd be interested to hear thoughts on why changing passwords regularly would not be a good idea. I've always thought that if a password was compromised, then if it remains the same then it would be easier for someone else to log in to an account indefinitely.

grahamgoo wrote: »

Yes - I didn't mean completely random, just that it wasn't a set password expiry period such as 30 or 90 days. Pretty much all my work related passwords have such a policy along with various rules on length, use of non-standard characters, not using a password that has been used before etc etc.

I'd be interested to hear thoughts on why changing passwords regularly would not be a good idea. I've always thought that if a password was compromised, then if it remains the same then it would be easier for someone else to log in to an account indefinitely.

Multiple reasons, mostly statistical, eg what people do overall

- Given many passwords regularly changing they get fed up and drop to one or very few passwords they use across sites. You or I may not do this but in general that's what happens. So, a breach when it comes doesn't just expose their forum password but their banking one, say.

- People can no longer remember all the changing passwords and write them down somewhere easily accessible, worst case the classic sticky note on the front of the computer screen (or maybe to be secure, on the back ) You or I may not do this and will use a password manager, but in general that's what happens. This is a classic at workplaces where its common to see a sticky with "this weeks password" written on it. Heres a recent example.

- You get fed up changing passwords all the time and gradually move from complex ones to simpler ones because its an effort to generate a new complex one, make a note of it soemwhere secure, etc. You or I may not do this and will use a password manager to generate super complex ones and store them securely, but in general that's what happens, so over time passwords get simpler and easier to crack.

- Forcing non reuse simply moves people to circumvent with a number. eg SooperSecr$t01 changes to SooperSecr$t02, and if they only check the last ten, back to SooperSecr$t00, then 01 etc. So knowing there is likely a one or two digit number at the start or end of a password makes brute force attacks easier, and potentially leads to more easily guessable passwords because people have satisfied the "must have a number" condition except now its plain the number will always be one or two digits start or end whereas they might not have done that in the past

- its pointless. If there's been a hack, change it. If there hasn't, well that means that your current password is good enough not to be guessed or brute forced, assuming someone is trying to do that, so why change it? And if they arent trying to guess or brute force it, remind me what was the point ?

- its efficiency draining and counterproductive, especially in the workplace where you may have dozens to hundreds of passwords and may literally end up changing one most days, ending up with your forgetting them and needing to spend time doing resets with IT support or ending up with them written in a little book or in an easily accessible place like a spreadsheet. Number of people i knew at work with all their passwords and user names in a spreadsheet was legion.