Clark: Change passwords regularly

" Change Your Password Regularly

“Make it a habit to change your password regularly. I recommend that you do it every three to six months. Many people are reluctant to do this because it is time-consuming, but it is critical. Set a reminder on your calendar to do this regularly.”

I would like to understand why a password is good for x days, then the next day it’s suddenly unsafe…?

I recently exported my passwords from Lasspass and amazed it was over 400…!!

I’m supposed to change 400 passwords every X months? Ah, no

I don’t know which service it is, but at least one of the password saving programs has an easy way to change ceratin passwords like Facebook and so on. I doubt it would be THAT useful. I personally have multiple logons for ceratin sites which customers may or may not be using. In many cases there is a customer login, an admin login and my login to the same hosting site, then a couple of ecommerce Admin and user passwords and perhaps a couple or 3 Wordpress logins; all for one site.

For sites you have to decide how secure you need to be. Certainly bank accounts and financial sites should have separate passwords. A site that just wants you to create a login to control whether you get marketing emails does not need to be as secure, especially if you don’t store personal info there. I often sign up for accounts for free software (like offered with Giveawayoftheday.com). I get a free license for certain software so no money changes hand. There are no ‘friends’ or groups of contacts associated with the account, so if it was hacked, no harm. That type of account does not need Fort Knox security.

Anything related to money or finance, I use 2FA and code sent to my cell phone.

But how do you handle this if both your wife and you share an account? This is why I do keep and very long complicated and unique passwords for my financial accounts but don’t use 2FA.

Not a problem. I’m a widower. I also use long, complicated p/w’s but still use 2FA. Can’t be too safe.

Back to my Q: is it really necessary to change p/w’s on some schedule?

Contrary to popular belief, I don’t think so. I use the same PW for all the accounts I don’t care if they are hacked. I use unique complicated passwords for emails, etc. that I care about. I also exported my passwords from Lastpass to Bitwarden when Lastpass was hacked a while ago. Then finally, my financial accounts have unique complex passwords that are not written down anywhere and my wife and I have memorized. I hardly ever change my passwords unless I get one of those notices that some company has been hacked. Then I change those and any others that use the same password.

And back to my comment, I think that is one flaw in 2FA. How do you handle multiple account managers?

When I ask those who support changing p/w’s, I ask “why”?
Never got a logical answer.

Just an extra safety measure. Doesn’t make it right or wrong. Having differing long complicated passwords is likely good enough.

However, @robertpri I noticed you use Lastpass in spite of the recent security breaches. Why is that ?

If you use different passwords for everything, I don’t see a good reason to be changing them routinely. But, if you’re like me and use the same password for many things and one of those places is hacked, then some hacker could try using that password at other sites and maybe get a hit. However, for really important financial stuff I use unique passwords and 2FA, so I really don’t worry about it that much unless a site forces me to change the pwd.

Nothing I have researched indicates the breach was dangerous. I use a long, complex p/w to access Lastpass. According to p/w testers, I’m safe. See pics below.

Beyond that, it requires my Yubikey to access my Lastpass.

Beyond that, Lastpass cannot access any of my critical accts that use 2FA.

Am I perfectly safe? Of course not! Nothing is perfect.

You haven’t done enough research. Your Yubikey protection on the front door does not matter because the hackers downloaded the actual vaults of customers.

The actual hack details:

Customer accounts compromised:

Just the poor disclosure would be good enough for me to change providers.

Interesting reads. I still don’t understand how they could hack my sixteen digit p/w of caps, LC, numbers and symbols. I also don’t understand why Yubikey does not help, and that’s not mentioned in the articles. [but I don’t pretend to be an expert on this]

None of my $$$$ sites work with just Lastpass. They all require 2FA.

If hackers can crack my 16 digit p/w, why not just use those skills to hack into my $$$$ sites?

When the Lastpass theft of vaults was noted, I changed my 12 digit p/w to an entirely different 16 digits. Hackers would have to steal the vault again.

The 2FA mechanism protects access to your vault, not the vault itself. Its the front door authentication mechanism. The master password is what protects the contents of your vault (the data). The hackers got into the Lastpass cloud storage and downloaded the vaults directly.

Nope. They downloaded a copy of your vault with the old master password and with all of the site logins/passwords. The fact that you changed the master password on the vault at Lastpass is irrelevant. Now, if you changed all the site passwords that the vault was storing when it was downloaded…then you are safe.

Hope this helps…its the best I can do without going into super tech mode. You can certainly search and find out any more details that you need.

If you use the same password for multiple accounts, if one account is compromised you must assume the others will be or are as well, thus changing your password for those accounts prevents access.

Hackers attempt to access accounts multiple times, not just once. They try over a long period of time. Changing your password reduces the risk they will gain access.

It is also important because if you lose or change computers and other devices it is possible for someone else to gain access to your passwords, regularly changing your password means that if someone gains access to one of those devices the password that is saved on them will no longer work.

If someone has gained access to your accounts, you may not even be aware that this has happened. Regularly changing your password boots them out.
Cybercrime and identity theft is at an all-time high. Changing your password regularly is just one step you can take to safeguard your accounts.

Thanks all.

I am changing all my $$$ account p/w’s, and have NO idea there are so many with money implications…!

I have 422 entries in my password manager. I’m not changing them all periodically.

I change the ones for brokerage, bank, 401k, etc. The money pots.

19 digits, upper lowercase, symbol, numbers, random.

I also change the usernames!

I use email aliases, so if I get an email which purports to be from Vanguard, for example, I just look at the address it used to get to me, and if it doesn’t match I know it’s a fake. It still might be a fake, but the wrong address is 100% diagnostic. If scammer get hold of a valid aliased email… I abandon it.

These days I’m using 20 character passwords. No longer 19. I suspect someday it’s be like 256 char passwords!

I found a nice feature in my OOMA service… I can define, and change at any time, a secondary phone number which rings my home VoIP service. In other words, a phone alias. Actually, you can define multiple aliases.

I’m getting free personal information monitoring using Kroll, since I have been in several major data breaches. I am going to monitor that OOMA alias, and if it ever gets onto the Dark Web, I will change it.

That OOMA alias I will only give out to my money pots, my financial institutions. So now that everyone has all of my data due to all of these breaches, they still are very unlikely to be able to get my correct telephone number. They will be spoofing the wrong phone number for me, and the brokerage or bank call center will see that it’s wrong.

I guess I could make a separate phone number for each money pot… but gah, that’s some work.