What is the logic behind being asked to re-set a password that has not been cracked?
Both here and on a bank site I use I get nagged to change my password. I cannot see any logic to this request. If I use a strong password that has not been cracked and there have been no issues with the sites I visit I cannot see any point in changing my password. It works, why try something different?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
There was an article a while back saying how this is actually pointless and dumb. It causes more issues than it’s worth. I’ll see if I can find this article again.
0 -
The bank site is just following old advice to reset passwords regularly. As @prime says, this is no longer recommended.
As for "here", presumably meaning this forum, though the forums run by Vanilla do not appear to have been breached, a potential breach was found recently and users are recommended to change their password. You would not normally be nagged to change, it is a one-off precaution.
0 -
This is a good question. When it comes to your bank, I suspect it's a matter of "old habits die hard". For years, the general recommendation has been to regularly change passwords, even though luckily we are starting to grow out of it. It will still be a long road though, I suspect, before everyone stops recommending this.
I think a lot of this comes down to the complexity of the password itself. Typically, banks have password rules that are often considered insecure (I have often seen banks that only allow you to use digits for your PIN, or allow you a maximum length of 8 characters), so in these cases they decide to recommend changing the password regularly, rather than allowing you to use a stronger one.
I have read quite a few resources about this practice (possibly even the article that prime mentioned): if you force a user to constantly change the password, what a user will typically do is that they will come up with some rules that make it easier for them to remember the new password (for example, just by adding "1", "2" or "3" at the end of the existing password), without actually bringing any security benefit. If you add obstacles such as this one, users will naturally try to avoid the issue altogether, rather than trying to follow the rules, especially if they perceive it to only add unnecessary complexity. In this sense, it is much better to allow complex, random password and only change them when necessary, rather than forcing users to come up with new ones.
When it comes to the notification you have seen on this forum, that was a different matter (as correctly pointed out by danco): Vanilla, the developers of our forum software, discovered a vulnerability in their software, and decided to request a password change to err on the side of caution. For completeness, I should note that what they discovered was not a "breach", but rather a vulnerability, and they decided to be proactive about it and request a password change for good measure.
===
Daniel
1Password Security Team0 -
Might help—although chances are slim at best—to send them a copy of 1PW's "Dear Bank" letter.
Suggest you fax it to them...
0 -
Thanks all for your comments. I guess that I was thinking about the Watchtower feature in 1Password when I asked about what seems to me to be a similar nag to the one from the banks I use. I tend to use quite simple, weak but easy to remember passwords for sites I visit where no money changes hands and security is not an issue and strong unique passwords for anything financial or containing personal information that should be kept secure. The second case is when I ask 1Password to generate the password and when I use simple ones I just use 1Password as a database and invent the password myself.
I'm in the UK and banks here typically only use 4 numeral PINs but these days always in association with a password and increasingly TFA. What they also often do is to ask for specific characters from a password rather than the entire password which as far as I know cannot be handled by 1Password. I therefore have to open and read the login password for the bank site in question and count through to find the right characters to insert. Lots of scope to get it wrong as you scan backwards and forwards between the bank site and 1Password!
0 -
While 1PW cannot fill in specific characters from a password, if you go to the extension and hover over the password, it will say "Copy" but with a down arrow. Click on that arrow to get an option "Show in large type". That will reveal the password in a movable window on the screen with the characters numbered, and it's then easy to fill them in. Easier to do than to explain.
0 -
What they also often do is to ask for specific characters from a password rather than the entire password which as far as I know cannot be handled by 1Password.
Ah yes, this is quite typical for UK banks for some reason. I have found that the tip suggested by danco works best in this scenario: while 1Password cannot automatically fill these letters for you (in certain cases, I have even seen multiple dropdown menus that need to be used to select the correct letter :/ ), but using the large type features helps quite a bit.
0