Password Security

If you change your account password every 3 months vs every 1 year.
Which one is safer?

Changing passwords regularly is more unsafe and insecure according to security researcher Sun Knudsen, for a variety of different reasons. Discussed around the 6 minute mark and is backed by actual real world statistics. Good infosec and opsec information.

Common password misconceptions that fooled me at first

and the related article he wrote here

"4. One should rotate passwords as often as possible.

Security researchers have proven scheduling password rotations is generally less secure given human nature (unless password has been compromised)."

because there is less damage if a key gets leaked.

Why is there less damage if key A is leaked but not B? I don’t get that and it doesn’t seem to answer his question. Why do you believe it’s less secure? I don’t think it’s less secure, technically speaking. A new one isn’t inherently any safer or better than the previous one. They both meet the same standard, yes? The damage that’s possible is equal to any leaked private key. Right?

Or do you mean that if an attacker has compromised a system that they can, instead of having the next 1-3 months of access, continue to have access for as long as a non-expiring key lasts? I suppose if you look at time itself as an attack surface then yes because then time itself is increasing thus your attack surface is growing. There’s lots of variables that would factor into that. And it’s relative to your overall attack surface and threat model which in this case I think is smaller than a desktop pc using any OS or any browser.

I feel as if maybe it’s more a matter of trust than security. Self signed is fine for you yourself when you can lock it down and know it’s safe but no one else whereas any cert issued by a CA has the consensus of the community who trusts them and their qualifications or sanctions by authority. And the those entities would be under constant attack and therefore they would want to renew them more often to protect their reputation which would suffer and maybe make a little extra money by selling more certs?

Did I ever say rotate password? If all you ever did is recycling passwords, well…

Did you read???

I never said to use self-sign cert by itself.
Please stop twisting my words.
Conversation shall end here.

3 Likes

I get where you are coming from, but there are some fundamental differences between passwords and SSL certificates that make it sensible to frequently rotate the latter but not the former.

Passwords need to be memorized, private keys do not. The FTC article from the “proven” link primarily pins the issue of password rotation in that it will result in people using passwords that are easier to remember (because they change frequently), but are weaker as a result. SSL private keys are not memorized.

When leaked, passwords are easily reset, SSL certificates are not. Either the account owner or a systems administrator can block the account and/or setup a new password the moment the breach is discovered. SSL certificates cannot be reliably rotated; SSL revocation is sketchy and not supported everywhere. So if a key gets leaked, you often cannot prevent it from being used completely.

SSL certificates can be obtained maliciously. If someone gets access to your domain’s DNS settings or web server or email account, they can use that to complete the domain verification to get a new SSL certificate. After plugging that hole, the shorter they will be able to use their “hacked” certificate, the lower the risk.

SSL certificates can be renewed automatically, passwords cannot. On premium hosting and Cloudflare for example, you never need to worry about SSL certificates, because the hosting system can autonomously get new certificates for you and install them through automation without anyone having to lift a finger. With passwords, all users need to come up with a new password, memorize them and configure them.


In both cases, I think the benefit of having short lived secrets isn’t that big in the grand scheme of things.

But if you have fully automated Let’s Encrypt certificates, it really makes no difference how long the certificates lasts, because it’s automatic anyways. So then why would you run unnecessary risk by having long lasting certificates?

Frequently rotating passwords has been proven to make the secrets themselves weaker. Which is evidence that password rotation is actually harming security.

6 Likes

Thanks admin, I appreciate your response. I find it interesting but am by no means an expert so this is edifying, thanks for taking the time to write about the differences, very useful information

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.