Your browser is obsolete!

The page may not load correctly.

Secure storage

Стоп-секрет

Other issues in this category (5)
  • add to favourites
    Add to Bookmarks

Two facts about passwords—where’s the truth?

Read: 1257 Comments: 16 Rating: 42

The recommendation to change passwords regularly is not made on a whim. Rather, it is a necessity for everyone who cares about the security of their information. And we’re not the only ones think that!

On November 25, 2016, the FBI posted a new series of tips on Twitter. In one specific tip, specialists of this well-known organisation advised readers to use strong passwords and change them frequently. All in all, it looks like an ordinary post containing common security recommendations. It wouldn't even be worth mentioning had it not drawn the attention of experts who started critiquing it.

Changing passwords often is a bad practice because eventually users create simple passwords that are easy to remember and thus make the job of hackers easier.

"I am surprised and sad to see that the FBI continues to give out bad advice when solid academic research, numerous organisations, corporations and the US government themselves have said for at least half a year now that frequently changing your passwords is a bad idea. While I don't know who at the FBI is in control of their Twitter account, the people behind it do not seem to be in control of current best practices. I do expect better than that from the FBI,” noted Per Thorsheim, organiser of the PasswordsCon conference.

https://motherboard.vice.com/read/the-fbi-is-wrongly-telling-people-to-change-passwords-frequently

An interesting thought! So what does the expert offer as an alternative?

People should use password managers to have unique, strong passwords for each site they visit. They should also take advantage of two-factor authentication which will enhance security even further.

https://motherboard.vice.com/read/the-fbi-is-wrongly-telling-people-to-change-passwords-frequently

Who’s right? As often happens, there is truth to both arguments, but there are also risks involved.

Passwords can be used to restrict access to the operating system, disk partitions, specific files and folders, and Internet sites (mail, online banking, various personal account areas, etc.). Passwords can protect assets on home PCs or on the computers in your organization’s local area network.

Let's exclude incidents when perpetrators learn passwords through electromagnetic leaks (e.g., by intercepting the display signal remotely) or by deploying hardware backdoors. Such methods can only be used by high-profile organisations with large budgets.

In this issue we will only examine situations when password leaks are caused by hacker activity, overly curious employees, or equally overly curious children who want to circumvent restrictions and access a PC or the Internet freely while playing games. In this case, they can determine a password by:

  • Looking over a shoulder (an employee/a spouse/children…).
  • Using malware to steal it once they have gained access to the computer (again because the password is weak).

At the moment, when we speak about malware, we usually mean Trojans. Because they can't replicate themselves, Trojans usually get onto computers with assistance from hackers or—which is more often the case as encryption ransomware victims will themselves attest — with the aid of users. There is always a chance that a home computer will get hacked, but users are more likely to launch Trojans themselves by clicking on links or visiting a bogus site. That is, the probability of infection directly correlates with the reliability of the anti-virus in use and with how persistent users are in their attempts to get their PCs and handhelds infected.

Can a password manager
prevent
a Trojan from stealing passwords?

Here's what a password manager does:

  • It remembers passwords that a user enters;
  • It generates random strings for passwords.

Burdening a password manager with the task of changing passwords regularly is risky because if one can’t access the manager, one can’t access the passwords either.

A password manager will definitely keep passwords from prying eyes (if there is no need to always enter a password manually), but will it prevent hackers from getting hold of passwords? That's the question! Because after all, it may have vulnerabilities just like any other application, and those vulnerabilities can be exploited.

To rule out any adverse impact from data leaks, passwords must be changed. And it is preferred that a device owner knows the new password. Yet a password manager can’t eliminate the risk of someone peeking at a screen the moment a password is being entered or generated.

#password #hack #hacker #cyber_crime #security

Dr.Web recommends

Protective measures become effective when those who adopt them understand what they are doing. Keep your passwords safe and change them frequently!

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments