The old adage, “Wine Gets Better with Age”, is mostly true. The question I am asking, do passwords get better with age?
The short answer is of course, no.
In most well secured environments, passwords will expire after a set number of days or weeks. Most of us would see this at our places of employment. Outside of that, it’s practically nonexistent.
Ask yourself, when was the last time you received a notification from any social media network that you needed to change your password because it was too old? I am willing to bet that the answer is somewhere between nil and none.
This is very, VERY BAD. The longer you go between changing a password, the larger the risk that an account will become compromised when a breach happens.
How do you close this gap? You change your passwords on your own schedule and don’t rely on the service you are using to remind you.
In the past I’ve talked about the need for using different passwords with every service and using 2FA (two factor authentication) for any logons that support that level of security. I’ve championed using password management tools for the plethora of account credentials we all have as keeping track of all that information is a huge task. These same tools can help us address the problem of aging passwords.
Something that works well for me, I change a password when I pay a bill. I just finished paying the electrical utility, I changed the password with help of the random password generator in my password management tool and made a note on that record of the date I changed the password.
I set reminders in my calendar to change passwords for things like entertainment services and social networks once a month and no, not on the same days of a month. Spread the work out, that way, it’s a bit less daunting.
I know, it’s more work that you have to do to keep yourself safe online but trust me here, it’s worth it.
It’s a good feeling when you hear that news story on the radio about a service you use having a password compromising breach from a year ago only to become public today. A year that your account may have been compromised from an old password. It feels good to know, “Hey, I already changed that password several times. Dodged that bullet!”
While we are talking about changing passwords, let’s expand our discussion into those “annoying security questions”.
How many of you answer those questions with the actual correct answers? So, you answered the question about your mother’s maiden name and your kindergarten school name correctly, eh?
Did you answer those same questions correctly on that FaceBook survey that went around to determine what your Star Wars character name would be?
Yeah…don’t do that.
While it was cool to know that your Star Wars character name would be “I’ma Awe’some Jedi”, you have actually been helping hackers to collect information about you. All they have to do is match your answers with a service that you Tweeted about, say the last movie you watched on Netflix. They can try to change your password with the forgot password process and gain access to that service.
I don’t use the correct answers for those sorts of questions. While this was a clever way to add another level of identity verification when it started years ago, it’s really useless nowadays. We have so much of our lives documented online that with a few moments research, you can learn all these things about someone.
I provide random answers to those questions that do not match the context of the question. I notate both the question and the random answer for that service in my password management tool. I know that if I have to confirm my identity with that service, I know that I’m the only one who can answer those challenges correctly. Once you handle such a verification challenge, that information can’t be considered secure. Do go and update what questions are being used and the random answers you are providing. Who knows, they may want to know your Star Wars character name.
Security is one of those things in life that only returns what effort you put into it.
Ask yourself, which is more of a pain of having to address? Identity theft from a compromised bank account logon or taking the extra 2 minutes to change that password once a month and never tell them your mother’s real maiden name.
Until next time…