CHAPTER 24. PASSWORD RECOMMENDATIONS 236
passwords as its top ten: password, 123456, 12345678, qwerty, abc123, mon-
key, 1234567, letmein, trustno1, dragon.
24.4 Account Chaining
If a hacker discovers your password on site xyz, they can try the same
username and password on other sites, like email or banking (PayPal) or
shopping (iTunes, Amazon) or social (Facebook, LinkedIn) or gaming (Sony,
Blizzard).
It is good to vary your passwords, at least for accounts that you consider to
be valuable.
If anyone gets your email password, you are in a world of hurt. Normally
they can changeanyof your passwords because they may all be linked to
your same email address.
24.5 How Often To Change Your Password?
The old-time wisdom says you should change your password often. You
want to change it faster than your enemy can guess it.
In the days of eight-character passwords, it makes some sense. Not much,
but some.
The big problem with frequent changes is memorization. Who can memorize
a new password and remember it reliably? When we are forced to change
our password often, one of several solutions typically emerges.
(a) The password gets written down. It’s on the yellow sticky-note under
the desk phone, or on the wall.
(b) The password is the same as before, but just part of it changed. Maybe
it is “alohaFeb2000” in February of 2000, and in March, it will be changed
to ...
If you have a good, secure password, there is no need to change it, ever. By
good and secure, we typically mean long, like 12 to 16 characters, or maybe
more, and hard to guess.
But if you ever think that it has been revealed, compromised, leaked, or
broken, then you should change it, everywhere it is used.