I understand the need to have a strong password with numbers, letters, caps and what not but I don't get the need to keep changing the password all the time unless it is the password to Ebay or some such vendor and they were hacked. What is it that makes the new password more secure than the old one?

There is absolutely nothing more secure about the new password.

The reasons for changing passwords are valid but none have anything to do with the complexity or strength of the old password. Here are a few of reasons.

1. Probably the most valid and important is that you are defending against the hacking of a password data base for a site that IS NOT detected. If the site's web masters don't know that the data base was hacked they are not going to warn you to change your password.
2. Let's say that your personal system gets hacked. A later security scan detects that it detected a key logger... you would DEFINATELY want to change passwords but only after removing the key logger.
3. Let's say that you have a guest that you trust a bit more than you should and let them check their email. To make a long story short I've timed it. ANY password entry that automatically shows as '*******' I can crack in under 15 seconds (LOL! Don't ask, no way will I say how. ) Just know that I have never used this ability in any way that was not requested and legit.).

Bottom line is that it is just another layer to system defense. I'm sure that there will be MANY more examples of why you should change passwords to follow.

_________________

What is a key logger?

I change mine occasionally but I also use RoboForm Pro which is Password protected.

_________________
Joan Archer
http://crossstitcher.webs.com

A key logger, usually in the form of a Trojan hiding inside of a rootkit, is one of the, if not THE, absolute worst thing that can infect your system. It literally watches everything that you do, every "Key" stroke and even mouse clicks, hence the name key logger. It then sends that information back to the hacker who now knows all of your passwords, credit card numbers if you made purchases, and even your social security number if you used it so your identity can now be stolen.

Moral of the story: layered security software, not just anti-virus and firewalls, and careful use of the Internet and surfing.
Acadia

_________________
The blazing evidence of immortality is our dissatisfaction with any other solution. -- Emerson

What is a Rootkit?

http://en.wikipedia.org/wiki/Rootkit

Basically, it is a virus that is hidden from the operating system. By being hidden, it cannot be detected by antivirus scans normally. To detect one's presence, typically, the registry in memory is compared to the registry on disk. There are other "fingerprints" that can point to a root kit, too, but they are very difficult to detect.

-steve

-steve

_________________
stephen boots
Microsoft MVP 2004 - 2020
"Life's always an adventure with computers!"

To get back to the actual password question... As I and Acadia have stated it is just another layer of defense to change your passwords. As an analogy think of a password like you would your anti virus. Would you run any anti virus program without allowing it to update it's virus definitions? Think of changing your passwords in the same way as doing definition updates to your anti virus software.

_________________

In my case, any old password would do when I first started needing them many years ago. It would be something, for instance, containing characters relevant to my date of birth, a favourite drink or something within my line of sight at the time. Add a few numbers to any of those and then use them as passwords. An example being: cardiff1908 (written on a picture mirror that I can see). Perhaps many people do this kind of thing when thinking up a password and these weak passwords are kept forever.

I read and learn (I hope) and now all of those passwords have been changed for ones containing quite long strings of upper/lower case letters, some numbers and some random keyboard characters. An example being: 5/mqd41\Qnj>Q21. This is not one of my actual passwords but this kind of thing.

These passwords can't be remembered, or are too much trouble to look up and type when needed, so the method used for storing and automatically filling in passwords/usernames is 'LastPass'. This browser add-on can generate passwords too. I usually let it do this for new sites and then add or change some characters to the generated passwords.

I have to admit that I tend to keep the stronger passwords. Maybe I should change them from time to time but these passwords are at least better than the first example. I am the only one with physical access to the computer who would have any interest in my passwords ..barring burglars breaking in and stealing the computer perhaps.

_________________
http://homepage.ntlworld.com/boots44/

RoboForm can generate passwords as well but I only use them on the odd occasion when first trying out a site. They would need to be changed if kept as they aren't long, just 8 characters, but are fine to start with.

_________________
Joan Archer
http://crossstitcher.webs.com

So if this key logger was hiding in my computer, can the key logger see the real numbers I am typing and I only get to see this ***************** and how does that work?

Notice! Please keep in mind that most of the following is speculation as I have never written a key logger. On the other hand I have directly accessed keyboard handlers for special input situations so it is probably pretty good speculation.

Yes, the key logger will see the real characters. I would imagine that a key logger would hook directly in to the keyboard and mouse handlers. You only see ****** because Windows or other software is set to display an asterisk regardless of the actual key pressed. The key logger sees the real characters because it looks for them before they are changed to *****. Also, even though the display shows *****, the real keystrokes are still stored by Windows or other software, they are just not displayed.

The keyboard/mouse handlers are just software usually on a chip but can totally or partially be software as in drivers. It would be possible to have a key logger look at the hidden copy of the keystrokes but it would seem to me that it would be more efficient to look at the handlers. The reason that I say this is that the handlers will be consistent regardless of whether the actual characters are hidden by Windows or any other software. It would be VERY cumbersome if the key logger looked for the stored hidden characters as code would have to be written for every piece of software that hid keystrokes.

_________________

If you can find Snadboy's Revelation, you too can see behind those asterisks.

_________________
Patty MacDuffie
Computer Haven Administrator

Live Long and Prosper
Mr. Spock

Snadboy's Revelation:
http://www.softpedia.com/get/Security/P ... tion.shtml

Notice to any and all! As always when doing an install select custom or advanced install options if available and watch for bundled software such as toolbars.

_________________

I never put anything past the capabilities of the hacker. I could be wrong but put the following up for discussion:

It is the case that a keylogger can log the keystrokes used to type in a password and so gain knowledge of your passwords that way. However, discovering passwords by reading asterisks, by one way or another, involves having physical access to the computer doesn't it? This being the case, it wouldn't be a worry for a home user since nobody with malicious intent is likely to have access.

Even if someone unknown got their hands on the computer (say the computer went in for repair), it's still not going to be possible to find passwords from asterisks unless a password manager such as LastPass is used to automatically fill in username and password fields. There is a way to stop that by making sure LastPass (or similar) doesn't fill in its master password automatically when the browser starts. If the password manager can't log in, then no passwords are going to be visible under the asterisks.

Isn't it the case that, in practice, people don't need to be concerned about the asterisk way of passwords being discovered by anyone they haven't authorised (and/or trust) to find them?

_________________
http://homepage.ntlworld.com/boots44/

Just try Snadboy's Revelation, Mart. That's programmatic, not physical.

_________________
Patty MacDuffie
Computer Haven Administrator

Live Long and Prosper
Mr. Spock

I know it's the program that finds the passwords but you have to physically be with the computer to use the program? What I was more trying to say, probably not very well, is that such a method isn't a security risk for the home user because it is only the computer owner, or other trusted party, who would be there with the computer to crack the password this way. More of a demonstration that it can be done rather than a real security risk?

_________________
http://homepage.ntlworld.com/boots44/

Keep in mind that many, MANY, people let just about any visitor use their system to check email or whatever. Where something like SnadBoys can be a threat is when that home user allows the usage of their system to the wrong person. Is it a huge risk? Probably not at all but still worth the mention.

_________________

Yes, certainly worth a mention. It's only that people read of a way of cracking passwords and become sure that it can happen while browsing or carrying out other actions that might pick up malware. It's just that this particular method of passwords being compromised wouldn't be likely to happen that way. Just thought it worth discussing how it could or couldn't happen. People can then assess the likelihood of it happening to them as a home user.

_________________
http://homepage.ntlworld.com/boots44/

Actually there is another side to such software... I'm fairly certain that you have set up a new system for people. Especially those that use an email client with auto log on are not all that likely to remember their passwords. Another good example would be the password for their wireless as that will show asterisks in the entry field without having to 'fool' the system into showing them like an email password. How are you going to setup the new system when no one seems to know passwords. A program such as Snadboy's then becomes a valid 'tech tool' and is of strong value. Or a boot CD I have that will display all Win XP account passwords and another that will reset passwords for Vista, Win 7 and, I think, Win 8 and 8.1. I am an ethical person and I would have to know that the person had legit ownership of the system before I would use such tools but what about the person that is not ethical?

For the unethical person the tools I mention above are no longer valid tools but instead become a menace. Say someone steals a laptop. If the system is password protected they are then stuck either putting a bootleg version of Windows or buying a valid copy. Now what if that thief has the same boot CDs as I? They are in the clear, Boot the right CD and the system is theirs.

The point I'm trying to make is that it normally isn't the software that is bad but the way it is used.

You bring up a valid point in that people can misinterpret things and develop false concerns. Myself, I'd rather a user be overly cautious instead of under. Don't look at this from your viewpoint that includes a high level of common sense and knowledge. In a high percentage of cases the 'common, everyday, user' does not tend to have the knowledge to be able to properly assess threats to their system. It is a sad situation but, unfortunately, the truth. This is why so many systems get infected when the anti virus actually did its job. The AV throws up a warning and the user selects to go ahead and do it anyway because it just can't happen to them and they really want the download.

A LOT of this boils down to a very high level tech term, PICNIC... Problem In Chair Not In Computer.

_________________

_________________

Some good points there Jay. I can see that Snadboy's Revelation will have legitimate uses for someone who works with computers.

I'm not sure how likely it would be that a visitor to the home would install and use it with ill-intent but it wouldn't be beyond a possibility that some could be tricked into it.

But well, not a password cracker that can be picked up as an Internet infection as far as I can see and it may have been thought of that way.

Edit: I think that's all I've got to say about it now ..honest!

_________________
http://homepage.ntlworld.com/boots44/

As far as something such as Snadboy's being a threat is the fact that it need not be installed. It is just a little stand alone program that can be carried on a flash drive. Plug in the flash drive and double click Snadboy's and any asterisk covered password is yours.

I totally agree that this type of attack is not going to be acquired via internet browsing but, under certain situations, can still be a real threat. Let's take a hypothetical but possible situation; A man and woman are a couple and one suspects that the other is cheating. Each also has their own laptop with passwords. Could not the suspicious half of the couple use such tools to infringe upon the privacy that the other should be able to expect on their system? Under such a situation many may say that the suspicious one has the right to find out... what if they are wrong? Speaking for myself, and I was the 'victim', we would no longer be a couple.

Actually the only reason that I brought up such software was the questions about key loggers. While not actually a key logger such software acts in a similar way, it just gets the keystrokes after the fact instead of in real time.

_________________

I don't think the concepts are particularly advanced, Jay. It's fine.

_________________
Patty MacDuffie
Computer Haven Administrator

Live Long and Prosper
Mr. Spock

I think all of this is out of our hands. The reason I say this is because almost all of our personal information ends up on computers that we have no control over. Just today I signed up with a new doctor and right off, my name, address, phone number, and social security number was entered on their computer system and I must rely on their security measures.