As we all know - virtually everyone abides by a "rule" that it's best to change passwords on a regular basis (i.e. every few months).
Lets consider this "false logic" ("false" is undoubtedly conclusive by taking into consideration the entirety of the premise as stated below in detail).
Premise:
1) assuming that we all (each of us) start out with a password that is optimally secure as far as what would be considered a fully adequate password. (keeping in mind, why would this NOT be the case? - clearly it would NOT be the case to NOT presumably start out with what would be considered an "optimally" secure password - because, why would anyone NOT, to the best of their knowledge, use a fully adequate password in the first place? So the changing of a password on a regular basis would NOT be for the purpose of improving on an already "fully adequate password" presumably put in place by the user - everyone agree? (based on the solid premise as stated)
2) so the assumption that it's a good practice to change passwords on a regular basis would have nothing at all to do with improving on the "adequacy" of the "current" password (of this we would have to agree based on point 1 above).
3) so then is there a valid reason to change passwords regularly based on the conclusions we've reached above - it would appear there is NOT a valid reason to change passwords if in-fact we assume at all times the goal in every case for all passwords is to be using as fully adequate a password as possible at all times (hence, before the change and after the change this aspect regarding adequacy does not change). So, in other words, the password in use has been originally entered as an "optimum" password in regards to "security" (our goal in every case we utilize a password) - so a "different" password would not improve on "security" based on the premise as presented here in as much as that being "different" has no additional impact on "security" in-and-of-itself.
Conclusion (point): the probability of hacking a fully adequate password as possible does not change as a result of changing a password that is equally fully adequate as possible. Random combinations of input to hack an equally fully adequate password remains the same probability before and after the change simply because the adequacy remains the same in any case (upon simply changing a password).
So the conclusion in regards to our present day "madness" we deal with based on deductive logic and I might add simple "common sense" (rational premises as stated in place) is that changing passwords does not serve any purpose of any kind in regards to improving levels of "security" it would appear (assuming we at all times take the responsibility of using as fully an adequate password as possible - of which in that case, a different password at the same level of adequacy remains the same level of "security" in any case).
Has anyone else contemplated the "fallacy" that exists regarding the "concept" of changing passwords to (presumably) optimize "security"?
===============================================================================================================================
Now, here's an example of not only "madness" (that we ALL for the most part sadly practice in general) - but flat out "stupidity" in the example below (and keep in mind we're talking about a top level major bank w/ assets in the multiple billions of US dollars).
I was required to change passwords with a bank recently.
Why - because the bank added "special characters" as a requirement for passwords.
Why would a bank do this - presumably to improve "security" - right?
OK so this is what the bank did:
1) added "special characters" as a requirement.
2) dropped the requirement of needing an upper-case character however. (so passwords no longer required this [upper-case], hence all characters could be all lower-case. I can be sure of this because I will NEVER use an upper-case character unless I have to because it is "required" and my old password was using an upper-case character).
So I added a special character and at the same time used all lower-case characters (since I at that point could, in as much as upper-case was no longer required) of which I always do if allowed to do so.
What's the problem here in regards to not only logic - but just simple "common sense" (you might ask)?
Question - How many special Characters are there (i.e. "commonly used")? - answer: somewhere around 9-10 let's say (i.e. @,#,$,%,^,&,*,/,?... - that's generally about it...)
Question - How many letters in the (English) alphabet? - answer:
So what the bank did was add 9 characters (special) and dropped
Question - is that an improvement in "security" (a loss of
So the requirement for users to go to the trouble of changing passwords to comply with the banks new password requirements is clearly to (by a very large magnitude) potentially lowering the "security" of passwords in a very significant way.
Just one example of the "madness" we put up with today.
Just thought I'd throw this out there (yet another example below) as far as my most recent "madness session" (on the phone) with a very large bank - i.e. in this case JPMorgan Chase Bank.
Recently after going through the steps to get a "code" to provide the bank to verify me as a valid customer the following occurs:
1) "Code" retrieved and provided to the website dialog page to confirm my identity as a customer.
2) After doing the above I get another page (paraphrase) stating: "Thanks for the information - we need just a little more information which consists of providing a confirmation "code" (right after I just finished supplying a "code") - which I personally get about 80-90% of the time. In this case, I am requested to call a number that happens to be "Customer Service". I find that about half the time "Customer Service" has no idea why I'm calling for a "code" the other half the time the agent knows the procedure to provide me with another code (albeit, this is not what is supposed to happen, as mentioned in more detail below).
3) I decided to take the time to discuss this with a "Supervisor" and was told that the "new" procedure with providing a "code" has "not been perfected" yet. Wow! - so a major bank releases code that "has not been perfected" (his exact words). I told him back in the day when I used to program for banks - if our software staff released to the public "code that was still not fully functional" - we'd no longer have a job real quick which reflects on the current "slack" attitude of most enterprises today who very often do similar things as reference here.
It appears banks are slowly taking on the attitude of Microsoft - to "beta" test software with the public (we all know how often MS will release a version that conflicts or creates issues that customers have to end up reporting back to MS - an example of long-term "madness" I speak of....).
Just to discuss "security" in a little more detail - it is not any longer uncommon for users to end up experiencing as many as 3 levels of security quite often now days, such as: 1) Check box to assure a "robot" is not in the mix, 2) coordinating icons according to instructions, 3) entering obscured text and then of course the now more and more prevalent 4) requirement to provide a "code" to confirm the user. I have personally, had in a number of cases a site using 2 of the first 3 examples along with then requiring a "code" in the end as well - hence 3 levels of security in many cases. We're at a time where it is the way of most enterprises today to keep on adding layer after layer of "security" one-on-top-of-another all of which needs to remain compatible with each other (successfully "handshake" between each "security" method used). And with that in mind, I can't count the number of times that "glitches" or in some cases complete breakdowns of the process occurs ultimately resulting in the user suffering the consequences of not being able to utilize what all this "security" is intended to "protect" in the first place.
I contend if a multiplicity of layers of "security" requirements are increasingly imposed on users results in a higher frequencies of failure points - what are we accomplishing in this case?... or better put, is all of this "security" worth it if very often the user (that is supposed be be "protected") in so many cases can't even accomplish what the "security" is supposed to be protecting in the first place?... (a question, that obviously led me to posting this topic)
Boy Howdy (oh my), what a really weird world we live in today!!! (imho)...and in this case, this specific "weirdness" is confined to the "technical" aspects of our lives which one would argue should not at all be joining in with the "weirdness" of "today's" world.
EDIT: Updated to reflect an accurate number of English language characters (26, not 27 - I bothered to count them this time subsequent to a later post)
... hence much appreciated (of which I'd add is for the most part new to me personally).
- so corrected my original post as such) So (you got my curiosity up), how many letters are there in "'British English" pray tell? 