Nov 28, 2021Kuina-chan
I tested to see if we should change our passwords regularly or not.
"Please change your password every three months." "Do not reset passwords that have been used within the last five times." That's what I'm often told. So I was wondering how effective it was, so I verified it.
Let's try it out.
For the sake of simplicity, we will set the password to be a random 4-digit number between "0000" and "9999." Then, a hacker (cracker) who tries to break the password starts by typing "0000" and then types up to "9999" in order. If the hacker cannot break it after typing up to "9999", the hacker goes back to "0000" again and starts over.
Now, if we don't change the password at this time, a hacker can always break it in less than 10,000 attempts. This means that, on average, it can be broken in about 5,000 attempts.
So, if we change the password on a regular basis, will the average number of times the password is broken be higher than this approximately 5,000 times? If it goes higher, it means that we should change our passwords regularly for better security.
Each of these was simulated 1,000,000 times, and the results are shown in Table 1-1.
|How Often To Change Our Password||Average Number Of Times Before Being Broken|
|No Change||4999.96 Times|
|Change Once Every 5000 Times||7486.71 Times|
|Change Once Every 4000 Times||8003.51 Times|
|Change Once Every 3000 Times||8503.57 Times|
|Change Once Every 2000 Times||8997.70 Times|
|Change Once Every 1000 Times||9510.94 Times|
|Change Every Time||9994.50 Times|
The higher the frequency of password changes, the higher the number of times the password was broken by hackers, confirming that changing passwords as often as possible improves security.
In the current example, the hacker kept trying until it was broken, but let's check another case. Now the hacker types in "0000" to "5999" in sequence, and if that doesn't break it, the hacker gives up. Let's find the probability of the hacker breaking the password in this case.
Each of these was simulated 1,000,000 times, and the results are shown in Table 1-2.
|How Often To Change Our Password||Probability Of Being Broken|
|Change Once Every 5000 Times||55.04%|
|Change Once Every 4000 Times||52.02%|
|Change Once Every 3000 Times||51.03%|
|Change Once Every 2000 Times||48.77%|
|Change Once Every 1000 Times||46.83%|
|Change Every Time||45.11%|
This experiment also confirmed that changing passwords frequently improves security.
The next step is to verify whether or not it is best to use past passwords as little as possible.
The previous verification showed that it is better to change passwords frequently, so now we will change the password every time. However, we will use several passwords in turn to set them. For example, if we have two passwords we will set them alternately, and if we have three we will set them in order, like A, B, C, A, B, C, ....
The hacker types in "0000" to "9999" in sequence, and if that doesn't break it, he gives up. Now, what is the probability that a hacker will break the password?
Each of these was simulated 1,000,000 times, and the results are shown in Table 1-3.
|Number Of Passwords||Probability Of Being Broken|
It turns out that if we use as many passwords as possible, the probability of them being broken is reduced. In other words, we should not reset passwords that we have used in the past.
These experiments have confirmed that setting different passwords frequently improves security.
It's certainly a bit of a hassle, so whether we actually change our passwords frequently or not needs to be considered separately.