Changing all passwords

***glennzo*** · #1 18th May 2012, 11:12 AM

I just completed the self-imposed task of changing all passwords for all users (root + glenn) on all computers / all OS's. What a pain! Three computers, the desktop, the laptop and the server (another desktop). The server only boots Fedora 16 so that wasn't a big deal, however, the laptop and the desktop are both multi-boot with 4-8 OS's each! Crikey! I thought I'd never finish changing passwords.

Why did I do it? I've been using the same passwords for several years and thought it was time for newer and stronger passwords. It's a good thing I wrote both passwords on my forehead, backwards, with a sharpie because it is getting increasingly harder to remember things, not to mention the new passwords are considerably longer than the old ones were. Now, if I forget a password all I need to do is to go look in a mirror. Since they're written backwards no one else could ever figure out what they are, even though they're hidden in plain sight

So, how often do you change your passwords?

***bob*** · #2 18th May 2012, 11:17 AM

1996. If "they" haven't figured it out by now, it's because:

1). My passwords are far too clever and complex for hackers to break. Or...

2). They've broken them, checked my files and realized they've stolen trash.

aleph · #3 18th May 2012, 11:20 AM

I only change my password when I am told I must (e.g. the aftermath of Fedora build system breach, etc).

I think it's safe enough for most of my needs just to choose a long password and stick with that.

Adunaic · #4 18th May 2012, 11:41 AM

I usually change it 10 times every 450 or so days.

sea · #5 18th May 2012, 12:14 PM

I have a set of passwords, which each its own lifecycle of 1-4 years.
* Forums: 8 - 12 char pw
* root/admin OS: 12-20 chars
* user / dummy OS: 8-16 chars
* Emails: 8-18 chars
* mail lists: 8-12 chars
* (online) games: 8-18 chars
* social media 8-20 chars

Gotta say i like that link, ty Aleph: https://www.grc.com/haystack.htm

Code:

Online Attack Scenario:
(Assuming one thousand guesses per second)	        12.13 trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)	1.21 hundred thousand trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)	1.21 hundred trillion centuries

jpollard · #6 18th May 2012, 12:18 PM

Not very often. Cracking my passwords could be done, but they are of limited use, and don't get you anywhere (I don't trust banks), and I don't shop online (not directly anyway - use it for catalog/review, yes. Actual purchase - rarely, once every 3/4 years and those passwords, if any, are very different).

My method also obscures things. I like to use a phrase or sentence... but instead of using one letter from each word, I might use the first one, or two, or even three from each word.

BTW, you are not safe from the dyslexic - they just might read things backwards as forwards....

And don't forget the head banging moments - you might leave prints of the password in plaintext

***glennzo*** · #7 18th May 2012, 01:01 PM

I wonder how long password cracking would take if we applied it to the old TV game show "Password".

***Gareth Jones*** · #8 18th May 2012, 01:29 PM

Hardly ever. I've got a set of passwords of varying strengths that I use for systems/websites of different levels of security, and to my knowledge the stronger ones have never been broken or stolen (probably because it wouldn't be worth the effort and I never log in using untrusted machines).

I'm not at all convinced that constantly changing passwords and using passwords that can't be remembered really makes things more secure anyway; if there's something you need to protect that much, you need more than a mere password...

nonamedotc · #9 18th May 2012, 04:04 PM

I change my password every six months or so. My passwords (for important accounts) are typically 10 characters or longer and the last time I setup my password, I used GRC (incidentally) to test the "strength" of a similar password .... That was fun!

The reason I change the password twice a year is because my work place mandates it and since I use "patterns", it is more convenient to change all passwords so that they all belong to the same "pattern".

Of course, none of these would stand key loggers - but then I use no computer other than my own - so ... haven't had problems .... yet!

marriedto51 · #10 19th May 2012, 11:20 AM

Wow, people change their passwords!

I used to have to on the university network because passwords timed out after 90 days. All that meant was that the sys admins were bombarded constantly by users who were locked out because they couldn't remember the new password.

As another thought, could we ever implement a dynamic password system -- something where the user enters a bit they remember plus an easy (human-computable) hash of the current date? Would that be any more secure than a fixed password?

Or: the banks in the UK now all use little card readers to provide one-time codes for access to internet banking. Is there anything like that to replace static passwords?

jpollard · #11 20th May 2012, 02:53 AM

Less secure.

And you are referring to the SecurID card - which requires a server to keep track of each card in use, and (due to clock sync problems) resynchronize the card when the clocks get too far apart.

SecurID has a PAM module for that.

The major problem is the expense. Each card costs between 30-75 dollars (US) depending on which version you buy.

Cheaper ones exist - Cryptocard for instance. But it works differently.