Constant change of passwords is not such a good idea.

Many of us, working in technology companies of different scale, have repeatedly encountered the most uncomfortable policy of the security service. And if key cards, time tracking and network activity monitoring are the norm, provided that companies have something to hide from competitors, then a constant change of passwords is a very tedious event.

This phenomenon has reached everyone in a different period. The author encountered this fashion among security men in the already distant 2013. As a bolt from the blue, the whole organization was stunned by the news: “within two weeks you must change the passwords, and in the future it will be changed by force every three months”. And I will tell you that this is not a very short period yet. In another company, admin-tyrant, otherwise not named, who also served as the “security service” set the password change period to one month. The most pleasant thing was, by the way, to go on vacation or on sick leave and return from it to a locked account (the VPN refused to give even under the threat of torture), but this is already lyrics.

For those who used KeePass type pass-managers, it was not so scary, but the part of the staff that remembered their passwords by heart was a little (actually a lot) saddened.

Constant change of passwords, instead of increasing the level of security within an organization, only leads to the fact that its security level decreases. And for this there are a number of adequate reasons.
')
Most ordinary users tend to memorize their passwords and not everybody uses pass-managers. If you recommend your family or friends to change passwords every few months, you do them a disservice. After all, a constant password change leads:

• To simplify it, because immediately remembering a complex password is difficult, and they will have to use it, apparently, all the time;
• As a result, for example, only numbers are used, or letters of name, date, etc .;
• If the security policy requires a crypto-resistant password with a variable register, numbers and specials. characters, they begin to write on paper and glue under the keyboard. And some also “laminated” with scotch tape. In severe cases, this is glued to the monitor.

The clearest example of “writing down”, and in this case, printing passwords. In 2015, Habré had an article about hacking a French TV channel, where the discussed “memo” got in the frame

Okay. If we have the opportunity to install a pass-manager in a personal workplace and don’t know trouble, then there are situations when a person simply cannot install third-party software on a working computer.

Have you ever wondered why, in carrying out certain complex operations in a bank, the cashier, in your opinion, has been busy for so long for so long, do not understand what?

In his work, an ordinary employee (cashier) uses about a dozen accounts in various software or its segments. In addition to logging into the account during the operation, each one needs to be confirmed with his own password plus, quite often - with the password of the senior cashier or branch manager (we all heard this cry “CONTROL!”). From bank to bank, all passwords can change about once a month, and some more often.

In theory, everything looks decent. Passwords wherever necessary, at least eight characters, different everywhere. In practice, they are universally recorded on pieces of paper and stored in the pockets of vests or under the keyboard.

As a result, instead of a two-tier security system, we get a sieve with the “reminders” already mentioned only because there is an opinion that “changing passwords just like that is useful”.

One of the most common ways to remember a password, if it is impossible to use a pass manager, but you have to change the password every N days, is templating it. This fact is confirmed by security research by staff at the University of North Carolina in 2010.

In their work, they simulated the generation of passwords by users based on the principle of templating, and then, based on this, conducted an “attack” on the accounts, taking into account the search of the most likely passwords before the security system responds to what is happening. Under the terms of the task, in the hands of intruders there was an “old”, irrelevant banking base for 7,700 accounts. At that time, researchers, taking into account the pattern of passwords, managed to get access to 17% (!!!) of bank accounts in less than 5 attempts. Another 41% percent of accounts were hacked in about 3 seconds.

More detailed algorithmic calculations can be found in the work itself .

This study once again confirms that once a complex password is created, where a person does not have the ability to use specialized software for storing keys, it is better than the constant replacement of simpler options.

After all, our brains are lazy by nature, and therefore strive to simplify and standardize everything. And this, in turn, leads to the fact that when our even irrelevant data falls into the hands of more or less smart attackers, the constant change of password, if it is a template (and it happens more often), will not help us, but only exclude the possibility use a really hard key to break.