 |
RE: [RC] Whats New with SERA - password safety - David LeBlanc-----Original Message----- From: ridecamp-owner@xxxxxxxxxxxxxxxxx [mailto:ridecamp-owner@xxxxxxxxxxxxxxxxx] On Behalf Of Mike Sofen Sent: Sunday, February 08, 2004 8:41 AM To: 'Ride Camp' Subject: RE: [RC] Whats New with SERA - password safety I would discount the notion of changing your passwords frequently. This depends on the context the password is being used under. changing only protects you if your password has been compromised. If you use online banking, you'll know it pretty quickly because your account is empty. Maybe, maybe not. When I test someone's network security, I gather as many passwords as possible. I don't use most of them - I leave them aside in case someone changes the one that I am using, or detects something going on with that account. In the case of online banking, I might log into your account for a year until a transaction large enough to interest me comes in, and THEN zap you. Maybe I know when your bonus shows up. If you change passwords regularly, it reduces the exposure. Unless you engage in password incrementing - "Password1" becomes "Password2", or "PasswordFeb" becomes "PasswordApr". About 1/4 to 1/3 of all people engage in password incrementing, and if you're one of those, I'll have your password forever. Otherwise, there's not much happening. If you allow an ecommerce site (like Amazon) to store your credit card info and someone hacks your Amazon password then they could go shopping with your money. Routinely changing your password doesn't decrease the chances of it being compromised, it only decreases your potential exposure once it HAS been compromised...if you use a weak password and a site is hacked you WILL be a victim. Let's say you used Windows 98, someone else in your family double-clicked on the wrong mail, and some punk now has all your passwords. You then go buy a spiffy new computer, and transfer your files (sans the password sniffer). If you never change passwords, the punk still has your passwords. However, all bank and legit ecommerce sites have hacker detection software running and monitor for multiple failed attempts to login. For the most part, these sites are quite safe. Not so well known are the internal security flaws that would allow a senior software engineer to swipe a bunch of credit card data from the company and sell it...that's happened quite a few times. Again, the legit sites have internal controls that largely prevent this from happening. The software engineer is typically less of a threat than an underpaid system admin. Another very severe problem is people getting into the network from outside. Lots of networks are not all that hard to get into from outside if you work at it. Most of these sites are quite safe, and the safeguards in the credit card system protect you when things do fail. Create 2 complex passwords and alternate them perhaps yearly. Anything else, in my opinion, is statistically irrelevant. This is a really, really bad practice. I have personally seen it cause huge problems. At Microsoft, we don't allow anyone to use the same password for a cycle of 24 passwords (about 4 years). It does, of course, depend on what you're protecting. For example, Amazon doesn't have any of my credit card numbers saved, and I don't change that password. Passwords that grant access to really important things, like my employer's intellectual property, get changed to something different every time. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ridecamp is a service of Endurance Net, http://www.endurance.net. Information, Policy, Disclaimer: http://www.endurance.net/Ridecamp Subscribe/Unsubscribe http://www.endurance.net/ridecamp/logon.asp Ride Long and Ride Safe!! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|