The Anti-virus Times

Wednesday, January 18, 2017

The recommendation to change passwords regularly is not made on a whim. Rather, it is a necessity for everyone who cares about the security of their information. And we’re not the only ones think that!

On November 25, 2016, the FBI posted a new series of tips on Twitter. In one specific tip, specialists of this well-known organisation advised readers to use strong passwords and change them frequently. All in all, it looks like an ordinary post containing common security recommendations. It wouldn't even be worth mentioning had it not drawn the attention of experts who started critiquing it.

An interesting thought! So what does the expert offer as an alternative?

Who’s right? As often happens, there is truth to both arguments, but there are also risks involved.

Passwords can be used to restrict access to the operating system, disk partitions, specific files and folders, and Internet sites (mail, online banking, various personal account areas, etc.). Passwords can protect assets on home PCs or on the computers in your organization’s local area network.

Let's exclude incidents when perpetrators learn passwords through electromagnetic leaks (e.g., by intercepting the display signal remotely) or by deploying hardware backdoors. Such methods can only be used by high-profile organisations with large budgets.

In this issue we will only examine situations when password leaks are caused by hacker activity, overly curious employees, or equally overly curious children who want to circumvent restrictions and access a PC or the Internet freely while playing games. In this case, they can determine a password by:

• Looking over a shoulder (an employee/a spouse/children…).
• Using malware to steal it once they have gained access to the computer (again because the password is weak).

At the moment, when we speak about malware, we usually mean Trojans. Because they can't replicate themselves, Trojans usually get onto computers with assistance from hackers or—which is more often the case as encryption ransomware victims will themselves attest — with the aid of users. There is always a chance that a home computer will get hacked, but users are more likely to launch Trojans themselves by clicking on links or visiting a bogus site. That is, the probability of infection directly correlates with the reliability of the anti-virus in use and with how persistent users are in their attempts to get their PCs and handhelds infected.

Can a password manager
prevent
a Trojan from stealing passwords?

Here's what a password manager does:

• It remembers passwords that a user enters;
• It generates random strings for passwords.

Burdening a password manager with the task of changing passwords regularly is risky because if one can’t access the manager, one can’t access the passwords either.

A password manager will definitely keep passwords from prying eyes (if there is no need to always enter a password manually), but will it prevent hackers from getting hold of passwords? That's the question! Because after all, it may have vulnerabilities just like any other application, and those vulnerabilities can be exploited.

To rule out any adverse impact from data leaks, passwords must be changed. And it is preferred that a device owner knows the new password. Yet a password manager can’t eliminate the risk of someone peeking at a screen the moment a password is being entered or generated.