Passwords: The only constant in life
According to a survey (German language link) conducted by research institute Forsa on behalf of the German Bitkom industry association, 41% of Germans never change the access codes to their online bank accounts, mailboxes, auction sites, PCs or mobile phones unless they have to. Only one in six users (17%) changes important PINs and passwords at least once every quarter. "Fidelity doesn't pay when it comes to passwords – the most important passwords should be changed every three months", said Dieter Kempf, a member of Bitkom's presiding committee.
One in twelve users (8%) only changes access codes every few years, while one in nine (11%) at least changes them annually. Six per cent change their passwords every six months on average, nine per cent change them quarterly, seven per cent monthly, and one in a hundred users even changes them weekly. The survey found that women change their most important passwords less frequently than men: 45% never do (men: 38%), only 12% change them at least once every quarter (men: 24%). According to Bitkom, teenagers and young adults up to the age of 29 are more switched on. In this group, one in four (27%) reportedly changes the most important passwords at least quarterly. Senior citizens, on the other hand, are lazy: For the over 60s, the figure is only about 4%.
"Private users and businesses are equally affected. Companies should set up the PCs of their employees in such a way that passwords have to be changed on a regular basis. In addition, there should be guidelines for the minimum length and level of complexity of a password", said Kempf. Earlier this month, Bitkom released a password survey which found that 37% of users disclose private passwords for their PCs, internet pages etc to third parties.
Current cases demonstrate the degree to which password selection can influence the ability to withstand hacking attempts. For instance, According to a report by Brazilian TV station Globo, the FBI failed to carry out a successful dictionary attack on a container encrypted via Truecrypt for twelve months. The FBI received the files from the Brazilian authorities, who had already unsuccessfully tried to crack them for 5 months. The files were part of the evidence against banker Daniel Dantas, who was being prosecuted for fraud.
On the other hand, a French hacker who obtained illegal access to various Twitter accounts – including those of Barack Obama and Britney Spears – was recently acquitted. He managed to access the accounts by guessing the passwords of various Twitter admins, which enabled him to post tweets to arbitrary accounts via support tools which were available online at the time.
It depends on the individual case as to whether particularly long and cryptic passwords and frequent password changes offer more protection than short passwords which are hard to guess. In the case of Truecrypt versus a dictionary attack, it would certainly be worthwhile to set up a long password which includes special characters and so on. Such a password would probably also have been sufficient for the Twitter admins to prevent the targeted attack. Instead, it appears the admin passwords included personal information such as names, which could be found out via social networking sites.
However, private users are rarely under direct attack because it would be too much effort for criminals to launch, for instance, an untargeted dictionary attack. Many web pages also block or complicate further log-in attempts after a certain number of failed attempts. Far more often, passwords are disclosed via phishing attacks – in which case not even a one-hundred-character password would help. In this case, using different passwords for individual pages can at least minimise the damage.
However, if a PCs is infected with a password-stealing trojan (such as ZeuS), not even this will help, because the trojan will record them all anyway. Changing passwords regularly could at least put the criminals off their stride: as they are unable to misuse or pass on the data in real-time, there will be a delay before the data is actually misused. If a password has been changed in the meantime (whether there is a known infection or not), the criminal's log-in attempt will fail.