Re: Changing passwords
One reason for corporate rules on changing passwords regularly is not to defeat serious hacking attempts. It's to defeat the casual sharing of passwords among staff.
I'm currently involved with an organisation where password sharing is the norm and password changes aren't enforced. Trying to ram information security principals and DPA compliance down their throats is hard work, because personal convenience seems to overrule everything as far as the staff (from management level down) are concerned.
It came as a surprise to them to learn that Emily could log onto Richard's computer with her own credentials. So there was no reason for Emily and Richard to know each other's passwords, or as I found out to my dismay for them to USE THE SAME PASSWORD.
They don't like the idea of locking their PC when they walk away from it or having a time out that does it for them even when that timeout is set to 15 minutes. Why? Because it's so damned hard to type in their password when they need to use the PC again.
They don't understand that each user should have their own login for each system. Audit log? Controlling different users access? Removing access when it is no longer needed? None of that is as important as the ease of having credentials of OFFICE and Passw0rd. (Hey look it's got upper and lower case and a number, so it must be secure.)
In another organisation I came across a user who had been logging on to his PC with another user's credentials for weeks. Why? Because he'd locked his account and the service desk was engaged when he phoned.
This is how users behave. Of course they would deny it until pressed hard enough, but are you surprised that malware is so successful when users put ease and convenience ahead of all else?
Oh and don't look down on them. There's nobody reading this who's security practices are perfect.
Oh BTW the linked article above may mention that password cracking software can generate 8 million passwords per second. So what? How long does it take the system trying to be cracked to process each password attempt? Most take a noticable time to respond, even if that's only a tenth of a second that would be about ten days to try those 8 million passwords. And that's before you take into account that most systems get suspicious long before 8 million password attempts. A lock after five attempts of only 15 minutes would extend that ten days out to something like 45 years.
Oh and the number of combinations for an 8 digit password is 200,000 billion if you only include letters and numbers. Include easilly typed punctuation that's 5 million billion. How long would it take to get through that lot even at 8 million a second? Properly chosen passwords are not easy to crack.
Scaremongering is fun but only when it's vaguely realistic.