WHAT I really hate about some banking websites and a lot of government websites is their notion of internet security consists of forcing you to change your passwords on a regular basis. I have never understood (and still don’t) why changing passwords will somehow make your login credentials more secure.
If you use a 5-digit number as your password, say 13092, then change it next month to 24583, then the month after that, to 98730, you have not increased your security one bit. The probability of guessing the password is the same in each case -- one in a hundred thousand or 0.001%. While that may seem to be difficult enough to break using raw brain power, that is a trivial task for a computer, and it would take less than a second to break the password.
What people should be taught instead is how to make passwords more secure by increasing its length, then combining letters and special characters. This greatly increases the complexity. If we were to change one of the passwords above to something like a82Bc9%7, it would now take the computer around 18 hours to crack it.
So the secret is not to keep forcing users to change passwords (which is pointless), but to teach users to make secure passwords in the first place. Then there would be no need to keep changing them. In fact, forcing users to keep changing passwords would cause them to do one of two things -- make a password that’s easy to remember and then to change only one thing about it, or to write down the current password. Both practices certainly do not contribute to security in any positive way.
Many websites have also now adopted the practice of two-factor authentication. This can work in several ways. After entering your password, the website sends another code to your cellphone via text and you have to enter this code in order to complete your login. That means that someone who has hacked your password will find that it is not enough to get into your account as they would need to possess your cellphone as well.
It is good advice, though, not to use the same password in different websites so that when one is hacked and the passwords from that site is harvested, it cannot be used to log in to a different site.
I hope many programmers for bank and government websites stop the practice of asking their users to keep changing passwords and adopt better practices like the ones I mentioned.
*Time and difficulty calculations were sourced from https://www.grc.com/haystack.htm, and assume an offline capability to try a billion guesses per second.
Email me at andy@freethinking.me. View previous articles at www.freethinking.me.