On 09/06/12 05:48, Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.
I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two?
* Do not use the same password for multiple sites or accounts.
So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down.
* Create a strong password for your account, one that includes letters, numbers, and other characters.
And that each of those passwords needs to be really hard to guess that I change to every few months on 100's of web sites.
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging.
They have some things correct in this and some are complete hogwash. Changing your password does not provide any additional security. It is meant to give protection against your credentials having being discovered, but if they have been compromised in that way, they'll have the one you change it to in next to no time too. If the hashes have been compromised, then yes, it's time to change the password. Having a different password for every website is very important though, as demonstrated many times when these lists of passwords and associated usernames turn up. Anyone who uses the same password on multiple sites will find that they have their accounts on multiple services accessed instead of just the original. What is needed are unique, highly difficult to guess passwords for each of them and that's where something like a password safe comes in. KeePassX is a cross platform and can be configured so that it needs a key file and password. I keep several of them with varying levels of importance. My banking details safe is only opened on a very secure computer. What LinkedIn need to do is improve their security so that they don't leak hashed passwords. Giving mostly correct advice like this shouldn't need to be prompted by a large security event.