I let a lot of things go too long. Then I change the password. Is there a recommended frequency?
Lately I’m feeling I should just change them all. Is that rash? Is a year good? Is two years pushing it?
[Not asking about password-making. I use pwgen from repo and everywhere I have to create an account the web page calls my passwords “very strong.”]
I know about entropy and I know how many millions of permutations password crackers try per minute. I get the feeling all compromise is a matter of time.
For the record my definition of password is upper case/lower case/number/symbol/other-clever-stuff.
This is buggin me lately. Thanks for any insights.
The only reason to change a password, in my opinion, is if it’s been leaked somewhere and / or there’s a suspicion that this risk exists. As long as it’s a really good password, there’s no need to keep changing it. That’s a relic from the last millennium.
There are “strong” passwords, and then there are ridiculously strong strong passwords. Aim for the upper limit of what the site supports, like 256 characters of total character madness, if the site permits it. Encrypted password managers make this feasible. If you can remember your password, I’d argue it’s not strong enough.
If that website’s database is breached and all hashed passwords are stolen… well… good luck brute-force cracking a password that complex in anything less than centuries.
As another habit, as best as you’re able, have a unique email address associated with every service. In this way, I have picked up on data-breaches well in advance of business actually advising me of them. Some have never advised me of them, but clearly the data was breached.
This lets you immediately address the breach by changing email and password.
pwgen -Cny 1 265
> & S I F * # W } l l - Q , w k E r a M k # m | r 7 $ ( * k @ ' n 3 B m D ] < E
8 \ \ O G 7 o G . D 5 J ` B 0 I u H J x w b 8 * T U b q : } I g 2 A Z * , l G O
Q o * Q _ > + c z * ] g M Q D k v k E 8 { \ G j % ? Q S j Z K + T m M V W = . @
E l N $ l ; / : Z , y | Z r S { ; + w U m h A ? + 0 X k 9 { 2 ) ( \ / x ( U n F
_ } ] M s X u s r N t C N ~ / c ; , ] Y 6 ! ; G * k h z m 5 + t $ L F _ ? Z ^ U
I = x g , p j r B u C b v 4 I 4 C B ? [ M / ` ~ j D f \ * 7 u > z A r p H D 2 U
M l Y Y & % 0 d ^ K J w i X u r a $ E X U % k - @
Centuries works for me. If 265 is a top number I wonder what your minimum is?
I’ve been using 20 basically.
^^ this is my new rule of thumb, thank you. I can string together some long difficult passwords on the spot…
amazing. that’s the equivalent of a self-diagnostic.
my next question would be how to you create a plethora of (one-time?) email addresses without putting too much personally identifiable info out there, but I can research that.
It depends on the site. The 256 charcters (sorry 265 was a typo above) is my go-to upper limit, but some may support higher still. If the website balks at 256, I bring it back to 127 (a noted tipping point). If that fails, I try 72.
The characters used also may need to change. So I use extended ASCII in my passwords, but a number of sites block that. Some also block some of the more common symbols.
There are a number of ways, but it would largely depend on your email setup. Alias / catch-all addresses are a simple method, but you’d need ownership of a domain and at least basic email hosting.
ProtonPass is a service that also seeks to addresses this issue.
thank you for the invaluable information.
A lot of this is math and odds.
Breaches at large corporations seem almost inevitable…but as you say an upper-limit encrypted pw is useless to the black hats.
Lots to chew on.
Well until an hour ago I was thinking this was a bad thing
thanks for your input
Changing passwords is a good practice. Once a year or twice a year is good. Just make sure that when you do change it, your machine does not have a keylogger installed. Also try to keep different passwords for different services. Do not reuse passwords. And especially do not reuse your email password. Have different passwords, for email account and for other online services. These two should never meet.
Remembering different passwords, especially random ones which are 24 characters or more can be difficult. Invest in a password manager Like Protonpass or KeePassXC or KDE’s KWallet or something similar. A tip, do not put your primary email account password in a password manager. The only place the password of your primary email address ought to exist is in your head. If the password file is hacked or stolen or corrupted then your primary email address is safe.
lotsa sage advice. I get the feeling your first sentence is a minority viewpoint in this thread with one caveat: if you do change it, upgrade the snot out of it. Those are my plans, more or less.
Be scary if someone’s linux box had a keylogger..I did a Lynis audit the other day and did good, but I’m not even sure Lynis was looking for a keylogger. For giggles: W10/W11 eulas literally say they are on big keylogger of every second you are on..
.
