The reason you have to change passwords often is because IT security is bad.
Password complexity requirements for the most part are not a mandatory element of data security. There aren't teens in their underwear in basements trying to guess your password 50,000 times, because most services that require a password lock you out after the 3rd wrong guess.
Instead password requirements are a side effect of poor server security. Because if the servers of the world storing our login passwords were properly secured, we could all get by on 12 character passwords using pretty much any characters we wanted to and they would never expire.
Don't believe me? When was the last time Google or Apple or Office 365 asked you to change your password because it had been used too long?
Having said that, the main reason we're asked not to use passwords for too long is because of the expectation that sooner or later our passwords will be compromised due to poor server security, and the fact that we tend to use the same password on a lot of different servers. Once a particular password is compromised, any other site account you use it on is basically hacked. In other words, if the login server at your kid's school is compromised and you happen to be using that same password for 23 other web logins, you better change every single one of those login passwords. The compromise will be made public, on that you can be assured.
This is one of the reasons why when I'm asked whether I believe that storing photos and files online is safe, my answer is yes, with a caveat. If your password is short and weak, you've probably given the keys to the vault away. But if you use something relatively long and unique (but not necessarily complex), you should be fine as long as you're not also using that password somewhere else.
"But couldn't Microsoft or Google or Apple get compromised?" Not likely, as this would crush their business model in a matter of days. All 3 of those companies now make their livelihood from selling data services. They are doing everything they can to protect their asses. And their assets.
Apple had a lot of egg on their face years ago when they allowed people to brute force guess iCloud account passwords without limit and celebrity photos were stolen. That flaw is now long gone.
No comments:
Post a Comment