Lost your password? Demystify how your password was stolen

No matter what password you set, you should save it, but some users find that their passwords are often lost. Is it too simple to set the password? In fact, things are often not so simple. It is easy for hackers to steal your passwords, but if we steal them, know the hackers or rogue means, we must take targeted precautions. The good habit of using computers is the most important ——

Of course we will try to protect the security of passwords, such as increasing the length of passwords, using complex syntax and special characters, etc. This really helps to enhance the security of passwords. These methods often require you to change your password every 90 days. But the strange thing is that you don't see any obvious benefits.

Bad guys usually get your password in four basic ways:

(A) Direct inquiry, the so-called "fishing" and "social engineering" The attack is still in progress and is always valid

(B) Try to use the font to match the prompt box, hope to get good luck

(C) Get the encrypted password or hash code, Decrypting in turn

(D) Using a malicious software such as Keylogger to get a password when you type it on your computer

These four situations are not because you change your password every 90 days. Walk away from you. If the bad guys can't break the hash code (C) in a few days, he is likely to find an easier target. Attack (B) is also a quick fix. The bad guys usually only use the first few hundred words. If they don't work, they will turn to other easier prey. If the (B) or (C) attack is successful, or if the attacker knows the password through a simpler (A) or (D), then on average they only need 45 days to get your bank account done, or Your email address becomes a stronghold for spam.

In the past 25 years or so, the concept of password expiration has not changed. The requirements of information security technicians, auditors, PCI, ISO27002 and COBIT remain unchanged, but the threat has changed a lot. Often, users with weak passwords will only be replaced with another vulnerable password. Forcing a user with a very high password strength to change the password will eventually annoy him and use a simple password.

So what is the significance of the 90-day password change cycle? There is a real benefit. That is, if someone has your password and everything they want to do is just secretly reading your email, then changing your password can prevent them from doing so forever. Changing your password regularly doesn't protect against malicious attackers who want to steal your secrets, but it does get rid of sneaky sneakers or snoopers. That's right, this is good. However, is it worthwhile to force the user to change the password every 90 days without any trouble? I have some doubts.

The main job of information security risk management should be to identify threats and vulnerabilities, and then choose countermeasures. However, if the chosen countermeasure is actually not likely to reduce the identified threat, then it does not help in the security work.

Of course, the “best practice standards” provided by the parties and the commissioners of the audit department will force us to use it.