Frequently change passwords more secure? Listen to what the experts say-passwords-IT information

Face a growing number of cyber attacks, protection of our personal service accounts should be increasing it. In order to protect their account passwords being cracked, many service providers and security experts hope that we can every 30 days or change the password every 60 days.

This is a good thing, of course, this is also a good habit. But this habit is not necessarily for everyone.

Is about to become the United States Federal Trade Commission (FTC) Chief Technology Officer, Carnegie Mellon University Professor Lorrie Cranor said in a public lecture last week, frequently changing passwords account may be a security threat.

But Lorrie Cranor is not "frequent password change" this thing in itself, but rather the way people change the password . Researchers at the University of North Carolina at Chapel Hill, a study was published in 2010, in which they were tested by 10,000 students registered website account and forced to change the password every three months. This study not only to observe the user password combinations for the last time, modify the password also collected during the test.

After research found, despite frequent password changes brought about by the user for the password system of rules. Like "welcome1" this password, the requested changes, users often get changed into "Welcome1" or "wElcome1", or simply to increase the number, such as "welcome111" and so on.

"The UNC researchers said, if people have to change their passwords every three months, they tend to use stereotypical routines, we call it deformation. They put their old passwords through a number of small changes to make a new password. ”

This is a good thing? It is not. Research personnel using these data for has algorithm transform, and will password cracked program put to test network in the to simulation attack, results has 17% of account password in 5 times within was break, and using high performance computer for offline violence cracked attack Shi, has 41% after has password modified of account in three seconds within was break, that is, weak of password subject and simple of patterned modified combination in more advanced of password cracked means before does not reliable.

In fact, many users still don't care about these issues. 2011 online of a items data showed that, "password" is netizens are most common of password, and in when of "most common of Qian 25 a weak password" list in the, does not appeared and "password" similar of password combination; but in 2012 abroad netizens most common of Qian 25 a password ranking in the, first name still is "password", but corresponding of, "password1" into to has Qian 25 name; 2013, "password" Down to 2nd place but "password1" climbed to the 21st place.

In 2015, "Passw0rd" appeared in the most common password list, ranked 24th. In this list, the famous password "123456" variants of almost every list, such as "1234567" and "12345678".

Especially in the current network flooding the black market of today, if the user's password and several years ago it was revealed spill password the same or similar, then hit by attacks by hackers and "innocent" users spread coming in will greatly enhance the chances of. If a user does not pay attention to these problems, more critical account will be more dangerous.

Researchers at Carleton University, another study showed that frequent password changes can only hinder the attacker hack speed, defense is completely out of the question.

If you want your account to as much as possible into their own hands, and do not want to frequently change passwords, it is best to establish at the outset a number of larger length and adding more elements, mix half-width symbols, digits, uppercase and lowercase letters of the password by offline encryption software to generate strong passwords is a recommended choice.

频繁修改密码更安全？听听专家怎么说 - 密码 - IT资讯

面对越来越多的网络攻击，我们对个人服务账号的保护也应该越来越强才行。为了防止自己的账号密码被破解，不少服务商和安全专家希望我们能够每30天或者每60天更换一次密码。

这当然是一件有益的事情，这也是一个好习惯。但是这种习惯并不一定适合所有人。

即将成为美国联邦贸易委员会（FTC）首席技术官的卡内基·梅隆大学教授Lorrie Cranor在上周的一次公开演讲中表示，频繁更换密码或许才是账户安全的一大威胁。

但是Lorrie Cranor指的并不是“频繁更换密码”本身这件事，而是人们更改密码的方式。北卡罗来纳大学教堂山分校的研究人员在2010年公布了一项研究，研究中他们让10000名师生注册了测试网站的账号，并强制要求每三个月更换一次密码。这项研究不仅仅只观察这些用户最后一次的密码组合，也收集了在测试过程中修改的密码。

经数据研究后发现，尽管频繁修改密码所带来的是用户对密码体系的规则化。比如“welcome1”这个密码，在被要求修改之后，用户通常会改成“Welcome1”或者“wElcome1”，或者是单纯地增加数字，如“welcome111”等。

“联合国军司令部研究人员说，如果人们不得不每隔三个月修改他们的密码，那么他们倾向于使用模式化的套路，我们称之为变形。他们把自己的旧密码通过一些微小的改变，做成一个新的密码。”

这是一个好事情吗？并不是。研究人员利用这些数据进行了算法变换，并将密码破解程序投放到测试网络中去模拟攻击，结果有17%的账户密码在5次以内被攻破，而利用高性能电脑进行离线暴力破解攻击时，有41%经过了密码修改的账户在三秒内被攻破，也就是说，羸弱的密码主体与简单的模式化修改组合在更先进的密码破解手段面前并不可靠。

事实上很多用户依然不关心这些问题。2011网上的一项数据表明，“password”是网民们最常用的密码，而且在当年的“最常用的前25个弱密码”榜单中，并未出现与“password”相似的密码组合；可是在2012年国外网民最常用的前25个密码排名中，第一名仍然是“password”，但是相应的，“password1”进入到了前25名；2013年，“password”降至第2名但“password1”爬升至第21名。

2015年，“passw0rd”出现在最常用密码榜单中，位居第24。而在这份榜单中，著名密码“123456”的变种几乎每年都有上榜，如“1234567”和“12345678”等。

尤其是在当前网络黑市泛滥的今天，如果用户的密码和数年前被曝出的泄漏事件密码相同或者相似，那么黑客通过撞库攻击而将“无辜”用户波及进来的几率会大大提升。如果用户不能将重视这些问题，更多更关键的账号将会发生危险。

研究人员在卡尔顿大学的另一项研究证明，频繁的密码更改只能妨碍攻击者的破解速度，完全地防御是不可能的。

如果你希望自己的账号能够尽可能的掌握在自己手中，并且不希望频繁更换密码，那么最好在一开始就建立一些长度较大，并且加入更多元素，比如半角符号、数字、大小写字母混合的密码；通过离线的加密软件生成一些高强度密码也是一个值得推荐的选择。