Change Passwords

By: Richard Romando

All passwords should be changed regularly. A change in password
could also be necessitated by the fear or reality of a user's
current password being compromised. As a precautionary measure,
any system should provide an encrypted method for changing a
password. If a new password is passed to the system in an
unencrypted form, security can be compromised before the new
password can even be installed in the password database. And if
a compromised employee or other intermediary gets hold of the
new password, there is little to gain from changing a password.
There are some web sites that include the user-selected password
in an unencrypted confirming e-mail message.

Today, automatic issuance of replacements for lost passwords is
mostly done with the help of identity management systems. To
verify the user's identity, questions are asked and answers are
compared with the ones previously stored. Some samples: "Where
were you born?" or "What is your favorite soccer club?" or "Who
is your favorite actress?" There is a possibility that in a
number of such cases the answers to these questions can be
guessed, found by research, or determined with the help of
social engineering. Although many users have now learnt not to
reveal a password, there are a few as well who consider the name
of their favorite soccer team to need similar care.

If a user is forced to change his passwords frequently, then a
valid password in the wrong hands will eventually become
unusable. Though not yet universally used, many operating
systems provide such features these days. The security benefits
of these systems are limited, as attackers often exploit a
password as soon as it is compromised. In several instances,
more so with administrative or "root" accounts, it has been
found that once an attacker succeeds in gaining access, he/she
makes alterations to the operating system that will allow
him/her future access even after the expiry of the initial
password.

Again, if forced to change a password too frequently, a user may
forget which password is current, and there is almost always a
possibility that he will write his password down or reuse an
earlier password. Such steps are most likely to cancel any added
security benefit. It is imperative that human factors be duly
considered before implementing such a policy.

About the author:
Passwords provides
detailed information on Best Passwords, Change Passwords,
Password Generators, Password Protection and more. Passwords is
affliated with Electronic
Keyboard.