Benefits of Complex Passwords and Password Changes
What can a malicious person do with your password?
- Send spam through your account, putting your name, as well as the College's e-mail, on a black list. Being on a blacklist means that many other educational institutions, and companies will BLOCK ALL e-mail coming from Middlebury.
- Steal the e-mail addresses of other members of Middlebury College, and attempt to hack those accounts using YOUR account.
- Using YOUR account, break into many of our electronic databases, such as Banner, potentially getting access to a lot of sensitive, personal data (or financial data).
- Break into College computers using YOUR account and infect them with viruses. Use the infected computers to spread even more viruses and spam. The viruses installed can be used to steal credit card data or steal more passwords.
Note how, if you password is stolen, you are NOT the only person affected!
Why is it better to use a complex password?
Passwords are (usually) stolen using four methods:
- tricking you into giving out your password.
- guessing your password.
- capturing your password when you type it in on a computer that's been infected with a virus.
- stealing stored/saved passwords. (the next section talks about the perils of stored/saved passwords)
Complex passwords have no benefit when the attacker is using the first method. However, complex passwords immensely protect against the other three attacks.
- Complex passwords are harder to guess (yes, computers can be programmed to guess hundreds of thousands of passwords in a few minutes). The current password policy makes them extremely hard to guess.
- Complex passwords are harder to capture.
- Complex passwords, if stored/saved, are harder to extract. (the next section talks about the perils of stored/saved passwords)
Why do we have to change our password every 6 months?
This has a three-fold advantage:
- it foils password guessing (see 1 below).
- if your password has been compromised, it reduces the impact of this unfortunate event.
- it makes "saved" or "stored" passwords useless (why is this a good thing? see 2 below).
- A computer can spend several months tirelessly trying to guess your password. When you reset your password, any progress that's the malicious person/computer has made is effectively diminished.
- Saved (or stored) passwords are convenient. They are also convenient for malicious people. Your password may be accidentally (or intentionally) stored on your work computer, your home computer, or another computer where you typed in your password . Say this computer gets stolen. Now your password is in the hands of the thief. If the computer is stolen by (or sold to) a technically savvy person, your password can be easily extracted. Also, if the computer is infected with a virus, the virus can steal your saved password. However, by changing your password every 6 months, you make the stored/saved password useless!