Change Account Password Regularly.

[skarais]

I stumbled across something that might be worth asking here. The bpip.org site showed me the forum admin (theymos)has periodically changed password the account every year for the past 3 years. Is this periodic password change recommended to increase the security of our account?



If so, are there any issue users might face if they periodically change their account password every years?

[The Sceptical Chymist]

I change my password occasionally--not too often, and usually after I get paranoid about the forum getting hacked.  It's probably not a bad idea for a member to do that from time to time (and to pick a strong one, too), because people have certainly lost their accounts to hackers in the past and no doubt it'll happen again. 

If there's a downside to doing so, I think it might be that it's a major pain in the ass to recover your account if you forget your password, but maybe a moderator can clarify that.  There's also the issue of people thinking your account might have changed hands if you happen to change both your password and your e-mail at the same time (which I think I've also done). 

The security on bitcointalk, as far as I can tell, is questionable and I do wonder how vulnerable the forum is to another major hacking.  It's been a while since the last one, but I've no idea what goes on behind the scenes.

[RickDeckard]

Regarding keeping all of my "internet" accounts safe I consider myself as "mild" paranoid. I was an user of LastPass even before they were bought by LogMeIn and by that time I had almost every account that I had with a complex password. I think I'm talking about early 2011-2012. From my point of view we have to look into our accounts as being a reflection of our identity in this world that is the Internet and like all identities we must do our best to keep them out of harms way.

Regarding the activity of theymos I would probably do the same if I was in the same spot as he is (Admin) especially considering that the forum has no 2FA in place. Even though I'm sure that all the staff have a strong password and it's kept only to the forum and not shared with anymore website (a basic usual practice), we are all humans and humans at some point of their life do commit mistakes. I do believe that even if someone is able to hack a staff account he wouldn't be able to create havoc for long but the sheer thought of it happening makes me uneasy (as it for sure makes others).

As always, you should try to always have a really strong password OP. There were times that I've used this tool: https://passwordsgenerator.net/ , but there are many others which are similar to it. Regarding the issues that you may have I don't think so, even though I see some threads popping up every now and then of users alerting that they are going to proceed with a change of their e-mail account and they want to let anyone know that they are going to change it (some I believe even sign their bitcoin address with such information).

[LeGaulois]

It's is a good practice for any activity on the internet, no matter what type of site it is. Email, bank account, shopping sites, streaming, etc.

This way, if there is a security breach and the data is intercepted, the hacker will have a better chance of getting your old password and not the current one.

There's also the issue of people thinking your account might have changed hands if you happen to change both your password and your e-mail at the same time (which I think I've also done). 

People shouldn't care about what others think. If you listen to them, they may say the account has changed if you cough

[Welsh]

Only theymos could answer that accurately, the rest of us can only speculate. Although, concerning changing the password frequently; This is something that's been recommended for years, in fact many years ago I think the standard was to recommend you change your password every 2 weeks. Although, if you have a strong password in the first place, and you are sure that is hasn't been compromised then you probably don't need to change your password frequently. Most passwords are gathered via database breaches, and malware. You can't really do anything about databases being breached, and therefore you just need to monitor various resources which provide information about what site has been breached, and change your password accordingly. Of course, you will always have the risk of a website being breached, without yours, the owners or the various organizations providing news about breaches actually knowing about it, well at least quick enough to prevent you from being compromised.

If your system is compromised then changing your password wouldn't have any effect, because if they have compromised your system via a keylogger or whatever method, and they are able to retrieve what you are putting into a website, then you are at risk whether you are entering your password or changing it. It might be advisable, if you suspect that you could be compromised locally, that keeping the "remember" me option on websites so you don't have to log in with your password each time. It would take a more sophisticated approach of gathering the password then.

[mk4]

It's is a good practice for any activity on the internet, no matter what type of site it is. Email, bank account, shopping sites, streaming, etc.

This way, if there is a security breach and the data is intercepted, the hacker will have a better chance of getting your old password and not the current one.

This. But far more importantly — don't re-use passwords on multiple websites, and make sure your password is long (probably 40 characters or more) and complex enough for it to be difficult to bruteforce.

"But how do I remember all my passwords?"

Use open-source password managers such as Bitwarden[1] and KeePass2[2]!

[1] https://bitwarden.com/
[2] https://keepass.info/

[libert19]

Regarding keeping all of my "internet" accounts safe I consider myself as "mild" paranoid. I was an user of LastPass even before they were bought by LogMeIn..

I am using LastPass since last few years, it has been serving well, what made you stop using it if I may ask(considering you used 'was' in sentence)?

[mk4]

I am using LastPass since last few years, it has been serving well, what made you stop using it if I may ask(considering you used 'was' in sentence)?

*psst. Ex-LastPass user here. Use Bitwarden instead. It's free (but I recommend paying just to help out the devs), it's open-source, and you can self-host as well.*

Disclaimer: Not affiliated. Just a fan.

[PrimeNumber7]

Is this periodic password change recommended to increase the security of our account?

If you do not reuse your password and your password is not a derivative of other passwords you use on other sites, you should not need to change your password unless it becomes compromised. I would recommend using a password manager to generate and secure your passwords.

If so, are there any issue users might face if they periodically change their account password every years?

If you change your password, you are risking that you forget or otherwise lose access to your password.

Changing your password, AND using unique passwords, AND not using a password manager means that you will generally use less complex passwords, which will make your accounts more vulnerable to hacking attempts.

[SquirrelJulietGarden]

The Best Password Managers
[GUIDE] How to Create a Strong/Secure Password

Some services recommend or force users to change passwords each 3 or 6 months. If you are not forced to change your password and decide to change it, you have to use password manager to randomly generate passwords.

If you don't use password manager, you will create new passwords with something similar to your past passwords. It is bad.

[isaac_clarke22]

~

I can quite relate to that especially after this happened to me. It is not that I was locked out from my account, but rather someone from other country posted a scam using my account without my awareness until feedbacks to my profile came along.

From now on, I often check my IP logs here in the forum and from other accounts if someone is logged in from a sus IP that I know it does not belong to me.

[Little Mouse]

This is common practice and everyone should practice to secure their account. It's not only bitcointalk, should be applied to every other sites you are using. Personally, I change password sometimes in my exchanges account. But in bitcointalk, I have never changed it, it’s reasonable because I believe my password is strong enough to be bruteforced. I have used long password with every possible characters combination.

[mu_enrico]

It's okay for other sites, not for bitcointalk, because here:
- If you are locked out, it's more difficult to gain back access.
- There will be the text "this user's password was reset recently" or something like that. Some users will question that as if it's uncommon.

I did password change several times and stopped doing that after using a very strong password special for this site.

[Lorence.xD]

This is common practice and everyone should practice to secure their account. It's not only bitcointalk, should be applied to every other sites you are using. Personally, I change password sometimes in my exchanges account. But in bitcointalk, I have never changed it, it’s reasonable because I believe my password is strong enough to be bruteforced. I have used long password with every possible characters combination.

That is what my teacher in Computer Class said, we have to regularly change our password, mix and match the characters, and choose long password, and the password doesn't have any connection with you personally. Another kne that I might add is that you have to shut up about your important accounts, loose lips sinks ships. I wouldn't necessarily do what theymos does which is annually but maybe 2 to 3 years.

[Cevit20]

This is common practice and everyone should practice to secure their account. It's not only bitcointalk, should be applied to every other sites you are using. Personally, I change password sometimes in my exchanges account. But in bitcointalk, I have never changed it, it’s reasonable because I believe my password is strong enough to be bruteforced. I have used long password with every possible characters combination.

Yes, of course, it is better to use strong passwords everywhere, whether it is a bitcoin account, a Facebook account or an exchanger account, because it is better to use a strong password than to change the password, so we will all use strong passwords everywhere.

[Upgrade00]

I consider changing passwords regularly to be a security practice, but one should take care to write it down to avoid loosing it.

There's also the issue of people thinking your account might have changed hands if you happen to change both your password and your e-mail at the same time.

You call always sign a message using 'change in email or password' as the message, this way, no one would suspect that your account has changed hands as you've proven to own to still own the Bitcoin address related to your profile.

[pugman]

I am using LastPass since last few years, it has been serving well, what made you stop using it if I may ask(considering you used 'was' in sentence)?

*psst. Ex-LastPass user here. Use Bitwarden instead. It's free (but I recommend paying just to help out the devs), it's open-source, and you can self-host as well.*

Disclaimer: Not affiliated. Just a fan.

*psst. Current-dashlane user here! Heard a wee bit on Bitwarden, is it better than Dashlane do you reckon oui matêë? *

I change my password occasionally--not too often, and usually after I get paranoid about the forum getting hacked.  It's probably not a bad idea for a member to do that from time to time (and to pick a strong one, too), because people have certainly lost their accounts to hackers in the past and no doubt it'll happen again. 

If there's a downside to doing so, I think it might be that it's a major pain in the ass to recover your account if you forget your password, but maybe a moderator can clarify that.  There's also the issue of people thinking your account might have changed hands if you happen to change both your password and your e-mail at the same time (which I think I've also done). 

The security on bitcointalk, as far as I can tell, is questionable and I do wonder how vulnerable the forum is to another major hacking.  It's been a while since the last one, but I've no idea what goes on behind the scenes.

Dude, your paranoia is NOT bad;; for someone like you especially, considering how many rat cum eaters are after you/your account/rep/ lê chipmixer status, etc,.

Its been what over 6 years, since the last hack? You never though what is to happen ;.;

<yes, this is me subtly hinting on where new forum is iamwaiting.png />

[Timelord2067]

I wouldn't advise changing your password too regularly, as you can see in the OP's example, the password was changed withing two days of the first anniversary of the first instance.  This could be a key date such as a birthday, or wedding anniversary etc, so anyone wanting to data mine, or even hack an account can look at this and can probably guess other relevant information.

[NotATether]

I am using LastPass since last few years, it has been serving well, what made you stop using it if I may ask(considering you used 'was' in sentence)?

*psst. Ex-LastPass user here. Use Bitwarden instead. It's free (but I recommend paying just to help out the devs), it's open-source, and you can self-host as well.*

Disclaimer: Not affiliated. Just a fan.

*psst. Current-dashlane user here! Heard a wee bit on Bitwarden, is it better than Dashlane do you reckon oui matêë? *

For the last couple weeks, I'm actually in the process of consolidating all my passwords from Lockwise, GPG files and iCloud to LastPass. And I can tell you that migrating from one password manager to another is a very laborious process when you have hundreds of passwords. Makes me shy away from self-hosted password managers which can screw me over if they blow up (which Bitwarden actually did to me, I never even got it past the install stage).

[libert19]

I am using LastPass since last few years, it has been serving well, what made you stop using it if I may ask(considering you used 'was' in sentence)?

*psst. Ex-LastPass user here. Use Bitwarden instead. It's free (but I recommend paying just to help out the devs), it's open-source, and you can self-host as well.*

Disclaimer: Not affiliated. Just a fan.

*psst. Current-dashlane user here! Heard a wee bit on Bitwarden, is it better than Dashlane do you reckon oui matêë? *

For the last couple weeks, I'm actually in the process of consolidating all my passwords from Lockwise, GPG files and iCloud to LastPass. And I can tell you that migrating from one password manager to another is a very laborious process when you have hundreds of passwords. Makes me shy away from self-hosted password managers which can screw me over if they blow up (which Bitwarden actually did to me, I never even got it past the install stage).

How do you mean 'if they blow up'?