I’ve mentioned before how choosing unique passwords and changing them periodically can help keep your account secure, but have you ever wondered why?  Today I’ll discuss the methods in which attackers attempt to compromise your system, and how password changes work to effectively thwart them.

When an attacker attempts to compromise your password, they will employ one of two methods.  The first method is the so-called “dictionary” attack,  which involves trying your username against a large list of common and generic passwords to check for a match.  Picture a thief at a locked door holding a key ring with 10,000 keys on it.  The thief must try each key to see if it fits, with no real assurance that ANY of the keys will open the door.  Although checking the list can be nearly instantaneous for a computer, the attack is only successful if a match is found.  Choosing a password meaningful only to you can practically eliminate the risk of being compromised by a dictionary attack.  While “puppy” may very-well be on the list, chances are “MyWonderPuppy512″ is not.

The other attack method is the so-called “brute-force” attack, which attempts to guess your password one character at-a-time.  Re-visiting our thief/door dichotomy, the thief is now simply armed with a lock-pick kit.  The thief has to attempt to open the lock my manipulating the lock tumblers, one-by-one.  Like lock-picking, the time to success or failure depends on a number of factors… How complicated is the lock? How skilled is the lock-picker? Even for very fast computers, it can take a long time to try every single possible permutation… Think DAYS.

Now, let’s assume that an attacker is currently attempting to compromise your password.  They have tried the dictionary attack, but have come up empty.  Now, they’re trying the brute-force attack.  They’re skilled attackers, so it’s only a matter of time before your password is compromised… NOW WHAT?

If you change your password periodically, you effectively reset the clock on any potential attackers.  Think of it as changing-out the door lock on the thief WHILE he’s trying to pick it, and without him even noticing!  It’s back to square-one for the attacker, and back to business for you.

Can changing your password periodically help an already-compromised account?  You bet.  …One final scenario:  Our hard-luck thief HAS managed to pick the lock on our door and has walked inside, but the room is dark and he needs his flashlight.  He runs out to his thief-mobile to get his flashlight, but discovers he left it at home.   While the thief is driving back to his lair, you happen to drop by and discover the open door.  You promptly change the lock on the door and go home.  When the thief returns, he is now facing a brand new lock and another evening’s work.  Tired and discouraged, the thief calls it quits.  Sound ridiculous?  Perhaps, but that is what real-world attackers are up against every day.  Even if they have managed to compromise an account, there’s no guarantee that the account will REMAIN compromised.  As attackers are primarily opportunistic in their endeavors, they will waste little time on a lost cause.   A little data loss is bad on your end,  but it’s much better  than TOTAL data loss, right?

In conclusion, you should change your password periodically in a time frame that you are comfortable with.  Over the summer ITS will implement a system that will REQUIRE you to change your password at least every 90 days, but shorter intervals are always better.

If you would like to read more about effective password management and the password policies we will be implementing, check out this previous post.

If you have any questions, please feel free to contact the ITS helpdesk at (502) 863-4357.