Comments on: Monitoring and protecting your reputation online http://major.io/2012/08/06/monitoring-and-protecting-your-reputation-online/ Words of wisdom from a Linux engineer focused on information security Thu, 23 May 2013 09:30:47 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Chris http://major.io/2012/08/06/monitoring-and-protecting-your-reputation-online/#comment-29240 Chris Wed, 08 Aug 2012 08:36:03 +0000 http://rackerhacker.com/?p=3691#comment-29240 @Joe

The logic behind changing passwords regularly is quite simple.

Not all hacks and attacks are obvious and leave a clear sign that your account has been compromised. In many cases, it is in the attackers’ interest to be stealthy. Take your email account for example, a targeted attacker my compromise it, and then continue to monitor your emails without your knowlege (e.g. targeted attacks against people high up in big companies, all that data can be very valuable).

Hence, it makes sense to change your password regularly. So, if your account is compromised without your knowlege, the attacker only has a short window before they loose access.

]]> By: Joe Julian http://major.io/2012/08/06/monitoring-and-protecting-your-reputation-online/#comment-29221 Joe Julian Tue, 07 Aug 2012 04:24:54 +0000 http://rackerhacker.com/?p=3691#comment-29221 I would also add that with each financial institution you should ask them to add a codeword. My wife, specifically, is targeted by fraudsters because of her job. Codewords have saved our accounts several times.

Do you have any scientific reference as to why you believe “for critical accounts, force yourself to change the password regularly”? I’d be interested in reading some. It seems counter intuitive. A dictionary hack is quick and efficient. If you’re not using a password that’s dictionary based, odds are pretty good that your account is safe (unless you’re spefically targeted by professional hackers).

Entropy is the key to security. A longer than expected password is also less likely to be hacked. Taking the Tags to the right, there, I could make a password like:

apacheblogcentoscloudcommandlinedatabase

and it would be pretty secure. Even taking into account the non-rarity of the words, you’ve got several thousand to 1 chance of getting any one of those words. That statistic to the 7th power that you would string them all together. Now throw in some unexpected characters:

apachebl87ogcentosclou42dcomman%dlinedatab*ase

And you have a very kick-ass password that’s not going to be dictionary hacked, leaving two options. Brute force (over 100 years of entropy there) or social engineering.

If you changed that password in 3 months, that brute force attack would be nearly evenly as likely to hack the new password in the next three months as the first password. The odds that the password will be hacked in that narrow window are nearly equal to each successive window.

Social engineers aren’t waiting around with a good password. They’re just going to use it.

There are, however, negative affects of changing passwords frequently, especially forced password changes. Most of those negative effects are due to human behavior resulting in predictability or decreased situational awareness allowing easier social engineering.

]]>