Monday, June 24, 2019

Uyboco: Changing passwords

Freethinking Me

WHAT I really hate about some banking websites and a lot of government websites is their notion of internet security consists of forcing you to change your passwords on a regular basis. I have never understood (and still don’t) why changing passwords will somehow make your login credentials more secure.

If you use a 5-digit number as your password, say 13092, then change it next month to 24583, then the month after that, to 98730, you have not increased your security one bit. The probability of guessing the password is the same in each case -- one in a hundred thousand or 0.001%. While that may seem to be difficult enough to break using raw brain power, that is a trivial task for a computer, and it would take less than a second to break the password.

What people should be taught instead is how to make passwords more secure by increasing its length, then combining letters and special characters. This greatly increases the complexity. If we were to change one of the passwords above to something like a82Bc9%7, it would now take the computer around 18 hours to crack it.

So the secret is not to keep forcing users to change passwords (which is pointless), but to teach users to make secure passwords in the first place. Then there would be no need to keep changing them. In fact, forcing users to keep changing passwords would cause them to do one of two things -- make a password that’s easy to remember and then to change only one thing about it, or to write down the current password. Both practices certainly do not contribute to security in any positive way.

Many websites have also now adopted the practice of two-factor authentication. This can work in several ways. After entering your password, the website sends another code to your cellphone via text and you have to enter this code in order to complete your login. That means that someone who has hacked your password will find that it is not enough to get into your account as they would need to possess your cellphone as well.

It is good advice, though, not to use the same password in different websites so that when one is hacked and the passwords from that site is harvested, it cannot be used to log in to a different site.

I hope many programmers for bank and government websites stop the practice of asking their users to keep changing passwords and adopt better practices like the ones I mentioned.

*Time and difficulty calculations were sourced from, and assume an offline capability to try a billion guesses per second.

Email me at View previous articles at


SunStar website welcomes friendly debate, but comments posted on this site do not necessarily reflect the views of the SunStar management and its affiliates. SunStar reserves the right to delete, reproduce or modify comments posted here without notice. Posts that are inappropriate will automatically be deleted.

Forum rules:

Do not use obscenity. Some words have been banned. Stick to the topic. Do not veer away from the discussion. Be coherent. Do not shout or use CAPITAL LETTERS!