Change Passwords

Writen by Richard Romando

All passwords should be changed regularly. A change in password could also be necessitated by the fear or reality of a user's current password being compromised. As a precautionary measure, any system should provide an encrypted method for changing a password. If a new password is passed to the system in an unencrypted form, security can be compromised before the new password can even be installed in the password database. And if a compromised employee or other intermediary gets hold of the new password, there is little to gain from changing a password. There are some web sites that include the user-selected password in an unencrypted confirming e-mail message.

Today, automatic issuance of replacements for lost passwords is mostly done with the help of identity management systems. To verify the user's identity, questions are asked and answers are compared with the ones previously stored. Some samples: "Where were you born?" or "What is your favorite soccer club?" or "Who is your favorite actress?" There is a possibility that in a number of such cases the answers to these questions can be guessed, found by research, or determined with the help of social engineering. Although many users have now learnt not to reveal a password, there are a few as well who consider the name of their favorite soccer team to need similar care.

If a user is forced to change his passwords frequently, then a valid password in the wrong hands will eventually become unusable. Though not yet universally used, many operating systems provide such features these days. The security benefits of these systems are limited, as attackers often exploit a password as soon as it is compromised. In several instances, more so with administrative or "root" accounts, it has been found that once an attacker succeeds in gaining access, he/she makes alterations to the operating system that will allow him/her future access even after the expiry of the initial password.

Again, if forced to change a password too frequently, a user may forget which password is current, and there is almost always a possibility that he will write his password down or reuse an earlier password. Such steps are most likely to cancel any added security benefit. It is imperative that human factors be duly considered before implementing such a policy.

Passwords provides detailed information on Best Passwords, Change Passwords, Password Generators, Password Protection and more. Passwords is affiliated with Electronic Keyboard.