I update my passwords from time to time. I don't trust the organizations will always say if there is breach, know there is a breach, or actually know how far and wide a breach went.
Do you trust them to salt and hash your password using bcrypt? (rather than store it in plain text). Do you use a password manager to generate strong passwords that are at least 16 chars long? If you can answer yes to both, then it doesn't actually matter if your hashed password was part of a breach or not, the hackers won't be able to brute force it. (Of course if hackers manage to steal the private key with which your session cookie is encrypted, they can still log in as you - but then changing your password won't help either).
This seems reasonable.
How often do you change you passwords?
Feels like it would get extremely tedious if you have more then a few accounts though, no?
Yes. You can set your passwords to expire after a date (or a period) in KeePassXC. They will show up in your Health Check reports along with weak or non-unique passwords, possible leaks and more
For certain sensitive websites (e.g. domain registrar) I change passwords once a year or so, because there's really no guarantee that administration would 1) notice a breach early or at all, 2) fully understand the scope/severity, or 3) even notify their users about a breach.
Yes. For sites, desktops, everything that have some rule stating that passwords expires after 30/90/180 days, must not repeat the last 3/5/10 passwords, must have at minimum/maximum n characters, must/must not contain special symbols or some subset of it.
My current work forces updates every 3 months. It seems more like a security issue requiring this reset so often.
This is because they create another problem when anyone you talk to will say they have their password and just increment a number for every password change. That way they’re not having to remember a whole new password every few months. So there’s never much of a change in anyones password during these rotations.
NIST actually changed their recommendation relatively recently and no longer suggests periodic password changes without reason.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Flozzin|4 years ago
m12k|4 years ago
Cr0s|4 years ago
rcMgD2BwE72F|4 years ago
https://keepassxc.org/blog/2020-08-15-keepassxc-password-hea...
daneel_w|4 years ago
woliveirajr|4 years ago
dagw|4 years ago
tarellel|4 years ago
This is because they create another problem when anyone you talk to will say they have their password and just increment a number for every password change. That way they’re not having to remember a whole new password every few months. So there’s never much of a change in anyones password during these rotations.
- abcde1 - abcde2 - abcde3 - …
nend|4 years ago
ryangittins|4 years ago
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Source: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver
kasey_junk|4 years ago
The policies are the problem and the industry has recognized it so they’ve moved away from those recommendations.