I logged on and was told my password was OVER 365 days old!!!
OMG
and I HAD TO CHANGE IT!!
so I changed it
then logged on
and changed it back
why am I changing my password?
how does changing password help "protect" me account?
the myth of CHANGE YOUR PASSWORD TO PROTECT YOU
is DEbunked!
https://www.ftc.gov/news-events/blog...ssword-changes
People complain about having so many passwords to remember and having to change them all so frequently. Often, they tell me their passwords (please, don’t!) and ask me how strong they are. But my favorite question about passwords is: “How often should people change their passwords?” My answer usually surprises the audience: “Not as often as you might think.” I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)
Mandated password changes are a long-standing security practice designed to periodically lock out unauthorized users who have learned users’ passwords. While some
experts began questioning this practice (link is external) at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive. Let’s take a look at two excellent peer-reviewed papers that address this issue.
What actually happens when users are required to change their passwords?
In
The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis (link is external), researchers at the University of North Carolina at Chapel Hill present the results of a 2009-2010 study of password histories from defunct accounts at their university.
The UNC researchers obtained the passwords to over 10,000 defunct accounts belonging to former university students, faculty, and staff. Users were required to change the password for these accounts every 3 months. For each account, the researchers were given a sequence of 4 to 15 of the user’s previous passwords – their total data set contained 51,141 passwords. The passwords themselves were scrambled using a mathematical function called a “hash.” In most password systems, passwords are stored in hashed form to protect them against attackers. When a user types in a password, the system runs it through the same mathematical function to produce a hashed version of the password they just typed. If it matches the hashed password that was previously stored for the user, then the user is able to log in.
The UNC researchers used password cracking tools to attempt to crack as many hashed passwords as they could in an “offline” attack. Offline attackers are not limited to a small number of guesses before being locked out. Attackers first gain access to a system and steal the hashed password file. They take that file to another computer and make as many guesses as they can. Rather than guessing every possible password in alphabetical order, cracking tools use sophisticated approaches to
guess the highest probability passwords first (link is external), then hash each guess and check to see whether it matches one of the hashed passwords. The UNC researchers’ password cracking system ran for several months and eventually cracked about 60% of the passwords. For 7,752 accounts, the researchers were able to crack at least one password that was not the last password the user created for that account. The researchers used the passwords for this set of accounts to conduct the rest of their study.