current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 9 down vote favorite

For instance, my Google account has a 32-character, random character password that I maintain with LastPass.

I regularly flash new ROMs on my phone or otherwise need to be able to manually type in my password. Not a big deal, but that password hasn't changed for quite some time now. I haven't memorized it, but that password is beginning to feel.. familiar. And of course, the only secure password is the one you can't remember.

I'm wondering if this password, or any other passwords that have been in my LastPast vault, need occasional changing, even if the passwords have not been compromised. Something along the lines of the corporate "change-your-password-every-90-days" thing.

share|improve this question
    
The best hackers comprise the target without them knowing, and maybe they find out years later. – cybernard 4 hours ago
    
If you're of the mindset that you're being targeted by a determined attacker at all times (which isn't necessarily a bad mindset to have), you can assume that someone's trying to brute-force your credentials constantly. Rotating your passwords serves as a strong defense in this kind of situation. – Jules 4 hours ago
    
While your password is 100% safe against brute-forcing for the next century, are you 100% sure that your computer cannot be attacked? You know, if they somehow manage to put a keylogger on your computer it doesn't matter whether it is 32 characters or 1024... they will find it. Changing password every 90 days and frequently check for malware on your computer helps you prevent that they can use it for too long. – Bakuriu 4 hours ago
up vote 12 down vote

Do you know that they are uncompromising? If you are absolutely sure, then there is no real need to change. Obviously if they are compromised, then go ahead and change. If you do not know, then it becomes more interesting.

That is the main purpose of changing your passwords, just in case they are compromised and that you are not yet aware of it. So the whole 90 day password change policy is usually a risk based compromise between how likely is your password compromised, and how annoying is it to change and re-remember (or in the case of a password manager, update and start using).

share|improve this answer
1  
"then it becomes more interesting" :-) – George Bailey 7 hours ago
1  
If they're compromised and you don't know it, then one of two things has happened: either your own computer or work environment is compromised, in which case your pw manager's master password is compromised and any new password you set will also be instantly compromised, or the site on which the password is used is compromised, in which case using a different password does not change the fact that the site is compromised. – R.. 2 hours ago
    
"is usually a risk based compromise between how likely is your password compromised and how annoying is it to change". Not really. 90 days is frequent enough that if you're not using the password daily, you're unlikely to remember it at all. (And that the user is logging in that often is not a safe assumption in the slightest.) This causes people to write down their passwords, more often on a PostIt note stuck to their screen than in a password manager. So it's not a compromise; it's a knee-jerk reaction from people who don't understand how problematic it actually is. – jpmc26 31 mins ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.