We need to be creative and think of a password the meets the criteria plus one we can remember.
A few notes before I begin:
-Passwords for a system like the forums at Team Chevelle are stored on the server in a protected area usually in a file in an encrypted form known as a hash. It is just numbers and letters that the software uses to compare with what you type in for your password. It's really hard to get at, and useless once you have it. Kind of like the seat belt chime in a new car.
-Requiring users to reset their password periodically nets one result: more users end up writing passwords down
-Security is a balance between convenience to the user and integrity of the data. Too far in either direction causes undue stress to the other. Too easy to access, the data gets corrupted/hijacked/stolen easier, too inconvenient for the user to access, the user gives up.
-Data only needs to be protected to the extent that it is not worth the effort that it takes to get to it. If you store your cookies in tupperware in a lock box, your kids will just go to a friend's house for cookies. No need to put them in Fort Knox.
-Forcing hackers to use brute-force methods to crack passwords is the first step to a good password policy
-I have been in IT for many years, and I am now studying network security. I have literally hundreds of accounts, about 10 usernames in total, and not a single password is reused. I write down nothing. I have a system that I developed that is easy to memorize and convenient to use*
Forcing users to periodically change their password, in theory, is supposed to prevent a hacker from having enough time to crack your password. If your password does not contain dictionary words, and is at least 10 characters long, upper, lowercase, numbers, and symbols, and the software (vBulletin) uses a good hashing mechanism, then it would take a hacker at least 19.24 million centuries to crack it remotely. Is it necessary to reset this password every year?
Well, then we get into multipoint attacks. First a hacker needs to break into the forum software and retrieve the list of hashed passwords, in this case, a 3rd party plugin that has system/administrative privileges. So that's the first step...not an easy one, but one of the most popular**. Once the hacker has your listed of hashed passwords, he can get started trying to crack them. A good hashing algorythm forces them to guess each password, one by one. The hacker can either A. crack only the weakest passwords until he has enough to profit, or B. Be forced to crack long, complex passwords because of a good password policy enforced by the site's owners. B. is usually not an option, after some time of not being able to crack a single password out of a given list of hashes, the hacker will toss the list and start with a new web site, etc.
But let's say everyone on the planet has gotten the memo, and everyone is using a good password policy, so the hacker is forced to try to crack these new Team Chevelle passwords. How long would it take? Well, for several tens of thousands of dollars, he could afford a good password cracking machine and sick it on the hashed password list. After a little over 19 years, he would start seeing some passwords start to show in plain text. Is it necessary to reset this password every year?
OK, well there's one last option. China has the world's fastest computer. A hacker could probably buy it for many billions of dollars. He could then use it to crack the new Team Chevelle passwords in about a week.
So the way I see it, we can protect against the probable and change our passwords every 18 years, or lock up our cookies in Fort Knox by forcing a change twice a week.
*Step 1) Take, say the first 4 letters of the web site name or system name, in this case, "chev" Step 2) Add the "Caeser Cipher" which basically means shift every letter to the left or right by any number. Ex: "chev" +2 becomes "ejgx" Step 3) add some text that you can't find in the dictionary, including symbols and numbers that you memorized, ex. "[email protected]
", then add it to what you have "[email protected]
" Step 4) Profit! When Team Chevelle is hacked, the hacker can make embarrassing posts on your behalf, but your Bank of America password, "[email protected]
" is safe!
**Most popular being social engineering, and by the way, you have a tough case trying to sue the developer of a bad plugin because any decent developer utilizes a EULA that basically says "use at your own risk".
TLDR: Sorry the tldr would need to be a few paragraphs and I already wrote it once.