Episode: 4047
Title: HPR4047: Change your passwords once in a while
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4047/hpr4047.mp3
Transcribed: 2025-10-25 18:59:42

---

This is Hacker Public Radio Episode 4,047 for Tuesday 6 February 2024.
Today's show is entitled, Change Your Passwords Once in a While.
It is hosted by Delta Ray and is about 16 minutes long.
It carries a clean flag.
The summary is, Delta Ray provides compelling arguments for why you should change your
passwords periodically.
Hi I'm Delta Ray and welcome to Hacker Public Radio.
Have you ever accidentally typed in your password into the username field and then pressed
enter and hope that nobody saw that or that it was logged in place?
I remember back in the 1990s, I was in a college class and a college professor did just
that.
They had their login screen on a Sun Solaris workstation projected over onto the screen
for the whole class to see and then they proceeded to type in their password into the username
field and everybody could see it.
I kind of looked around, see if anybody was writing this down or something.
I didn't write it down because I thought that was a bad mistake but you never know who
knows your password now or maybe you've gone to some free unencrypted hotel Wi-Fi at
a conference or at a hotel or maybe at a public park or something like that and then you
use that to type in your password to get back to some unencrypted HTTP website that you
run or something like that.
Change your passwords every once in a while.
I know that there's this nist recommendation that in the past would tell companies that
they should force their employees to make a password change every 90 days or whatever.
This isn't what I'm really talking about and so if your first instinct when I tell you
to change your password is to say, oh, that doesn't actually work.
Well, I'm not talking about a forced password change policy.
I'm talking about you personally in order to reduce the risk of your accounts being compromised.
You should consider changing your passwords maybe every couple years or once a year or
something.
If you find yourself saying, I like my password, I'm attached to it.
It's probably when it's time to change it because that kind of attitude leads to holding
on to that password for much longer than you need to.
As time goes by, your risk of your password being known through some means only increases.
Have you been using the same password for five years, 10 years, 15, 20 years?
Who knows?
Maybe 20 years ago, you picked a really strong password that has been able to meet the requirements.
That's great.
You're able to meet the requirements of what is a strong password and it's held up over
20 years.
There's a good chance that you've exposed that password somehow over the past 20 years,
whether it be system administrators, logging, clear text passwords for the purpose of debugging
and your password ending up in a log file somewhere or shoulder surfing or typing in
while there's surveillance cameras watching you and somebody behind the surveillance camera
can see what you're typing.
Maybe you got infected with malware and a keystroke logger recorded your password.
One of the more extreme pieces of research that was done was that some cybersecurity researchers
were able to do audio analysis of somebody typing and produce a list of likely candidates
for what you typed in based on the distance between keystrokes that were pressed and so on.
Maybe you've said your password in your sleep, especially if it's like a pass phrase,
you might have actually set it out loud and you just don't know it.
Or being able to guess it, somebody might be profiling you,
somebody might see what your personal interests are and maybe you like some sports team
or some soft drink or something like that and you work that into your password or your kids'
ages or all kinds of things that people use in their passwords.
There's a great Jimmy Kimmel episode where they interviewed people on the street
and they're able to basically get their password out of them just by asking them some personal
questions. But over time, there's the likelihood that you've exposed it just goes up.
In my own experience, I've been a system administrator since the 90s working at an internet
provider and running a web hosting company and working as a system man in other locations,
large enterprises and stuff like that. I've had people tell me their passwords just outright because
they're trying to be helpful in solving their problem. I've seen passwords. People accidentally
typing them into username fields and stuff like that. Or I've turned on clear text password logging
for the purpose of debugging one account, maybe just for a short time, but turning it off to afterwards
and then clearing the logs. But just to say that somebody just didn't just leave that on all the time.
You don't know. You don't know what the system administrators are doing where you're using services.
One of the biggest problems that people have is that they reuse their passwords in multiple
places. This is one of the number one reasons why accounts are compromised because
you maybe log into some tech forum someplace and you use the same password that you do for your
email or your bank account or your workstation at home or laptop. That forum got compromised
because they weren't that careful with the security at that forum. Maybe it was just some small
forum that was run by somebody who didn't have a lot of time to secure it. Then now the malicious
actors have a log of your password and maybe the forum even had a tie back to your email account
where you get your email normally and stuff. Over time, they might sit on those things for a long
time and then walk through all the security controls for online password protection just bypassing
them and getting into your account. 10 years later, you're like, how did they just get into my account?
Well, it's because they've been keeping track of all this stuff for years. There's a great website
called Have I Been Pawned by Tony Hunt that you can go there and you can type in your email address
and see if your account has been compromised someplace and where your password might be known
from various different data breaches that have happened over the years.
So, yeah, don't get too attached to your passwords. When they say choose a strong password and
they usually give you all these requirements, upper lower case letters, length, matters and so on,
you make a longer password. It's less likely to be guessed because they have to go through more
combinations to figure it out and doing that kind of brute force guessing is all about
getting a copy of the database and doing that attack offline instead of doing an online attack.
You know, it's like when you hear about people's passwords being compromised, there's a few
different ways that they might do it. If they have to try to do an online attack, of course,
they're going to, you know, like where they have to try to log into the service. Of course,
there's hopefully going to be controls in place that will make it so that they can only try so many
tries before they get blocked in the firewall or something like that. But an offline attack is where
they use some other vulnerability of the system to grab a copy of the database and then run a
brute force password guesser like John the Ripper or Hashcat or something like that against the
database, trying maybe millions or even billions of combinations per second to try to crack your
password. And that's more than you can hope to protect against. So you have to choose one that's
very strong and long. You know, I say at least 12 characters or more, but probably even 16
characters or more at this point. And the whole point of those requirements is really, and this
is what they don't really tell you, the whole point of strong passwords is to make it so that
the password is unguessable. That's it. You know, it's like not guessable by humans either by,
you know, them guessing what your password might be based on your interest or guessable by
computers just doing, you know, combinations or maybe guessable by AI trying to profile you and
doing combinations as a combination of tactics. But it's really about making it so it's not guessable.
And the reason why I say this is because you might say, well, I choose this passphrase that's
really long, but it turns out it's a quote from a movie, you know, or something like that. And so
it may be a 16 or 24 character passphrase, but it really is important that it's not guessable.
And so you, you know, maybe your best bet is to use what's called a dice where passphrase where you
choose four different words from the dictionary by rolling a dice and like choosing the page of
the dictionary or something like that can also use the look command where, you know, you can use
look and combination with grip and XRs to generate a dice where passphrase.
Yeah, I mean, come up with a dice where passphrase that way. You're not tying it to your personal
interests that way. It's not based on, for instance, things that are in front of you like, you know,
that you're reading off of or whatever that could later be determined and so on. And use a password
manager. This one is kind of a touchy subject for some people. A password manager, even though some
of them, you know, have had security problems over the years, is generally a better option than
just reusing the same password everywhere or using a weaker password everywhere. So find a trusted
vetted password manager, you know, there's like one password and bitward and in the past,
you know, last pass was considered really good, but they've done some stuff that over the years
has become more questionable. Initially, you know, it wasn't such a big deal for the URL to be known
and be unencrypted, but of course, they started back in the 2000s when before a time
that authentication tokens were showing up in URLs and stuff like that. And so that practice that
they had has over time become more questionable. But for a long time, last pass was doing things
the right way and was considered a safe option. But now, you know, things have kind of changed.
And I would caution you about just running away whenever there's a security problem in a
password manager. There's going to be security problems in password managers, but it's all about
were they doing the right thing and managing the way the binary blob of your passwords was being
handled? Are they responding to it well? Is the security vulnerability that came up? Is it really
affecting your password being seen in clear texts or not? If you, if we get into this habit of
running away from a password manager just because I had a security problem, we're going to run out
of good options for security managers for password managers because only so many people know how
to make them properly. Some companies, you know, they put the password on their end and they have a
key to it and stuff like that. That's no good. You don't want them to have a key to it. And there's
plenty of other articles and podcasts that talk about this thing. But what I'm here to say about it is
we can't just, you know, blindly run away every time there's a security problem with a password
manager because unlike a lot of airsoftware, there's it's hard, you know, it's hard to make a good one.
And there's only so many people who are going to make good ones. If we keep on running away from
ones that are good just because they have a security problem, we're going to run out of good options
because we're going to end up boycotting, you know, all the good ones or something. So don't just
quickly run away without really thinking about is this really a problem or, you know, is it just a
vulnerability that doesn't actually expose my credentials, you know, it's just like they had a
hack, sure, but it didn't really expose my credentials. And just to be safe, you know, you might
transfer, you know, change your master password on your, on your password manager or something.
And the other thing I recommend is don't click on the checkbox that says save your master password.
That's the one that you need to remember. Don't click on the checkbox that says save your master
password. You have to memorize that because when you do check on the box that says save your master
password, now you're putting your password database at risk by making it so that if somebody gets
access to your browser cache or your browser configuration, they might be able to just turn on
the password, you know, load up your browser and access your password manager database.
I've tested this before, like, with last pass and it actually worked. So don't do that. I wish
they wouldn't even put that there. And unfortunately, they probably get complaints from, you know,
users that say, why do you have to, you know, why do I have to memorize this master password? I
thought you were supposed to make this easier and stuff. And so then they change it. And then they
put this bad option in there. Also use two factor, you know, try to use two factor authentication
where you can. I know it's, it can be a pain sometimes, but it really is protecting you from
the pot, you know, it's reducing your risk of having your first factor password compromise
taking over your account. That doesn't mean that two factors are silver bullet. There are,
you know, ways that attackers are able to get around two factor by social engineering
attacks and so on. So you still have to be careful, but it's definitely a lot better than
not having it. And yeah, okay. So thanks and I'm curious to hear your comments and feedback about
this and change your passwords once in a while. Okay. Bye.
You have been listening to Hacker Public Radio at HackerPublicRadio.org. Today's show was
contributed by a HBR listener like yourself. If you ever thought of recording podcasts,
you click on our contribute link to find out how easy it really is. Hosting for HBR has been
kindly provided by an onsthost.com, the internet archive and our sings.net. On the Sadois status,
today's show is released on their creative commons, attribution 4.0 international license.