Nov 28, 2021Kuina-chan


I tested to see if we should change our passwords regularly or not.
"Please change your password every three months." "Do not reset passwords that have been used within the last five times." That's what I'm often told. So I was wondering how effective it was, so I verified it.

1The Security Of Changing Passwords On A Regular Basis

1.1Case To Try All Patterns



Let's try it out.
For the sake of simplicity, we will set the password to be a random 4-digit number between "0000" and "9999." Then, a hacker (cracker) who tries to break the password starts by typing "0000" and then types up to "9999" in order. If the hacker cannot break it after typing up to "9999", the hacker goes back to "0000" again and starts over.
Now, if we don't change the password at this time, a hacker can always break it in less than 10,000 attempts. This means that, on average, it can be broken in about 5,000 attempts.
So, if we change the password on a regular basis, will the average number of times the password is broken be higher than this approximately 5,000 times? If it goes higher, it means that we should change our passwords regularly for better security.
Each of these was simulated 1,000,000 times, and the results are shown in Table 1-1.
Table 1-1: The Average Number Of Times The Password Is Broken
How Often To Change Our Password Average Number Of Times Before Being Broken
No Change 4999.96 Times
Change Once Every 5000 Times 7486.71 Times
Change Once Every 4000 Times 8003.51 Times
Change Once Every 3000 Times 8503.57 Times
Change Once Every 2000 Times 8997.70 Times
Change Once Every 1000 Times 9510.94 Times
Change Every Time 9994.50 Times
The higher the frequency of password changes, the higher the number of times the password was broken by hackers, confirming that changing passwords as often as possible improves security.

1.2Case Not To Try All Patterns



In the current example, the hacker kept trying until it was broken, but let's check another case. Now the hacker types in "0000" to "5999" in sequence, and if that doesn't break it, the hacker gives up. Let's find the probability of the hacker breaking the password in this case.
Each of these was simulated 1,000,000 times, and the results are shown in Table 1-2.
Table 1-2: Probability Of The Password Being Broken
How Often To Change Our Password Probability Of Being Broken
No Change 60.05%
Change Once Every 5000 Times 55.04%
Change Once Every 4000 Times 52.02%
Change Once Every 3000 Times 51.03%
Change Once Every 2000 Times 48.77%
Change Once Every 1000 Times 46.83%
Change Every Time 45.11%
This experiment also confirmed that changing passwords frequently improves security.

1.3Security Without Using Past Passwords



The next step is to verify whether or not it is best to use past passwords as little as possible.
The previous verification showed that it is better to change passwords frequently, so now we will change the password every time. However, we will use several passwords in turn to set them. For example, if we have two passwords we will set them alternately, and if we have three we will set them in order, like A, B, C, A, B, C, ....
The hacker types in "0000" to "9999" in sequence, and if that doesn't break it, he gives up. Now, what is the probability that a hacker will break the password?
Each of these was simulated 1,000,000 times, and the results are shown in Table 1-3.
Table 1-3: Use Several Different Passwords
Number Of Passwords Probability Of Being Broken
1 100.00%
2 74.92%
3 70.36%
4 68.30%
5 67.20%
6 66.48%
7 66.02%
8 65.68%
9 65.35%
10 65.14%
It turns out that if we use as many passwords as possible, the probability of them being broken is reduced. In other words, we should not reset passwords that we have used in the past.

2Conclusion

These experiments have confirmed that setting different passwords frequently improves security.
It's certainly a bit of a hassle, so whether we actually change our passwords frequently or not needs to be considered separately.
1638065505enf