Bob Dubner
(Super Imperial Member)
08/05/16 11:42 AM
Password Security....should you change it often?

Ward, I don't disagree; the effort and attention paid to passwords is another
example of 1) Looking for your keys under the streetlight, because
that's where you can see, and/or 2) blaming the victim. In most cases the
effort involved isn't justified by the value of the information being secured.

But you don't want a successful attack on IDontCare.com to reduce your
security on StoreYourMoneyHere.com, either.

One main reason for using different passwords on different systems, and
changing them fairly frequently, is because so damned many servers are being
successfully hacked. So, if somebody breaks into IndifferentSecurity.com and
steals their password file, which in the worst case idiotically stores your
password in the clear, then they can start trying that password at
Amazon.com, EveryBank.com, and so on.

Even if the password itself isn't stored, but rather a cryptographic hash,
the Bad Guys have developed sophisticated means of figuring out whether that
hash is known to be associated with a password. If it is, then they can go
back to trying that password elsewhere.

As the arms race continues, the standard means of dealing with that problem
is to concatenate a 128-bit (or more) strong random number called a "salt"
with your password before generating the hash; the salt gets stored along
with your username and the final hash for verifying your password in the
future.

But, basically, *you* have to keep changing your password because *their*
security can't be completely trusted.



Contact Us AVSIG

Powered by UBB.threads™ 6.5.5

Logout   Main Index    AVSIG Aviation Forum