Never Change Your Password
I’m going to set off all your smoke alarms when I make this fiery statement: Never change your password. Before you call the fire department, consider these three crucial provisos. Never change your password…
- If it’s sufficiently strong
- If you created a unique one for each account
- Unless there’s a security breach where it’s stored
Passwords do not age. They do not sour, spoil, or go stale. Yet some organizations want to convince us that your passwords become increasingly susceptible to attack over time. Just yesterday, I logged into my T-Mobile account and was told my password was old and should be changed. Fortunately, the carrier included a Skip button—which wasn’t always the case.
The reason to change a password should relate to an active problem: someone has stolen your password, it’s so weak that someone will crack it any moment now, or you’re notified of a password leak. Otherwise, there’s no reason ever to bother.
Where did this idea of passwords having an expiration date originate, and why is it wrong? To find out, let’s delve into what’s behind each of those three provisos.
Proviso #1 Background: Very Old Passwords Were Too Weak
It was only in 1960 that computing systems began to require passwords. For 40 years, they remained weak and crackable, often with only modest effort. You often weren’t even allowed to create a password longer than 8 characters. This was considered not just an acceptable level of security, but the only necessary level of security. For much of that time, you could even use a dictionary word or words or all letters—no punctuation, mixed case, or numerals required.
Once networks interconnected, even before the Internet existed, password theft became a problem. In the early days, you could just print out a file that contained the passwords in plain text. (The first admitted theft was in 1962!) As passwords became better protected within operating systems, weak, guessable passwords remained a liability. System administrators began issuing password guidance and enforcing it. That’s where the now-familiar demands for complexity and regular rotation originated.
As recently as 2004, the National Institute of Standards and Technology produced a report that recommended complexity in password composition rules in part because password length was so short. The ability to crack a password becomes nearly exponentially more difficult the longer it is. Increasing complexity (the randomness of characters chosen) doesn’t increase the cracking difficulty as easily as simply making a longer password.
Some sites still allow 8-character passwords, but my anecdotal experience is that most want something longer, like 10 or even 12 characters. The shortest secure password resistant to modern cracking is a minimum of 12 characters if it’s randomly generated from nearly all typeable symbols and at least 20 if it is composed of randomly selected words. Passwords that meet those limits have sufficient resistance to brute-force cracking that they should last well beyond your lifetime or cost a cracker far more than your specific password could be worth—perhaps tens of billions of dollars, by one estimate. Substantial breakthroughs in certain forms of computation would be required to render those passwords weak enough to break. (Astonishingly, Microsoft still recommends a minimum password length of 8 characters in its Windows 10 administrator guidance and doesn’t allow policies to require one longer than 14.)
In an era of weak passwords, a high level of entropy—the amount of measurable randomness in the password text—coupled with regular replacement reduced the odds someone would have sufficient time and processing power to crack your password using what was often an easily purloined password file or database table. (I first had a password file stolen in 1994 due to a Unix exploit.)
If your password is sufficiently strong, as required by Proviso #1 above, there’s no reason to change it. If, on the other hand, you’re still rocking a password under 12 random characters, yes, you should change it to something much stronger. But you only have to do that once. There may never be a reason to replace it.
How can you tell if your password is weak? Apple will tell you, via iOS/iPadOS in Settings > Passwords, Safari in Safari > Preferences > Passwords, and macOS 12 Monterey in System Preferences > Passwords. 1Password, LastPass, and other password managers offer similar insights.
Proviso #2 Background: Passwords Were Often Reused
For many years, it was also acceptable to create one strong password and use it across all your important accounts. While that password may have been hard to type and difficult to memorize, regular use helped you surmount those problems. This was the ultimate instance of putting all your eggs in one basket. Security experts quite rightly saw this approach as a serious vulnerability. I suspect that some password change requirements came about because sysadmins understood that if your password was broken or leaked somewhere else, it could also allow access to their systems. That wasn’t excessive caution—breaches happened regularly, including for accounts with deep system privileges. Forcing a replacement was a misguided way to try to stay ahead of crackers, the assumption being that older passwords were more likely to be discovered and cracked elsewhere.
Because we now have easy access to password managers—including Apple’s built-in option in iOS, iPadOS, and macOS that can be synced across iCloud in a highly secure manner—there’s absolutely no excuse to use the same password twice, per Proviso #2. Memorize your device passwords or, with 1Password and other password managers, your vault or storage password. Never use those passwords elsewhere. And you’re golden.
If you’re not sure whether or not you have used a password at multiple sites, check your password manager. Apple’s Passwords shows Reused under Security Recommendations for any password with multiple entries. 1Password’s Watchtower section, shown below, has a Reused Passwords category that lists the same. LastPass has a similar feature in its Security Dashboard.
Password managers must still deal with the vagaries of websites that require passwords to contain at least one number, a piece of punctuation from a permissible list, and an eye of newt. The last item might be a joke. (These policies are designed to ensure the most cracking-resistant password if a user chooses to enter one of only the minimum length.) But at least you can use the password manager to generate the best strong password under the circumstances.
You should still use a password manager to create passwords even when there are no complexity policies in play. Apple discontinued a feature in Keychain Access’s Password Assistant to create “memorable” passwords that contained words. 1Password recommends a passphrase of four or five words, depending on your circumstances, to achieve the necessary robustness.
Proviso #3 Background: In the Security World, Life’s a Breach
Once you have updated to robust, unique passwords across all your accounts, you never need to change those passwords again unless, per Proviso #3, you learn that a particular site or service has suffered a breach. The best way to learn this is by signing up for the free notification service at Have I Been Pwnd?, a site devoted to disseminating information about account and password breaches in a responsible fashion. You can also check your password manager, as most now license the Have I Been Pwned? database. Apple shows Compromised in its passwords list across operating systems, noting:
This password has appeared in a data leak, which puts this account at high risk of compromise.
Despite Apple’s extreme language, you probably don’t need to change your password even then—assuming, again, it’s strong and unique—but it’s better to be safe than sorry. Plus, you may have no choice: the site might force you to change it by resetting all passwords for all users.
An attacker can discover passwords in two primary ways: research and cracking. With research and manipulation, an attacker can extract secrets about you through social engineering (fooling a customer-service representative), phishing your password from you, or poring over credit reports and available online data.
You can guard against personal social engineering and phishing by never giving out your password in any circumstance other than when you initiate a visit to a Web site or open an app and can verify it’s the site or app you intended. And you can protect your personal facts by replacing them with random words when creating answers to account security questions. Instead of my mother’s maiden name, I generate a random word in my password manager and use that, storing it with a label so I can recall it when asked. The goal is to ensure that the answers to your security questions are also unique across all your accounts. (If you have to read the secret aloud to a customer service rep, it may sound strange, but that’s the price of security.)
The other method attackers use is cracking passwords, trying to match a password by testing every possible value, starting with the shortest and most likely guesses. Those guesses might incorporate socially engineered and researched information about you in particular or a mass of users at a given website.
Crackers used to be able to run unlimited password guessing attempts at many website login pages. It took shockingly long for companies to build in throttles and timeouts to disable such attacks. Nowadays, only targeted knowledge that doesn’t exceed a maximum number of failed attempts may work, and two-factor authentication stops that method cold. Crackers don’t bother with such attacks anymore unless they find unthrottled login pages.
Instead, they focus their attention on cracking passwords stolen from servers. In those cases, you’re forced to rely on the security and deployment expertise of the company that maintains your account information. Almost all the time, these passwords are encrypted and can be broken only by brute force. Sadly, that’s not always the case: as recently as November 2021, a large-scale breach at GoDaddy revealed SFTP passwords still stored as plain text.
Sites should never store passwords as plain text, but they also can’t use simple encryption, where a static encryption key protects all password data. Instead, sites almost always store each password as the unique outcome of a cryptographic operation called a hash. The hash can’t be guessed from the input, so two slightly different passwords produce vastly different hashes. Best practices for modern password storage also include adding random characters (called a salt) to a password before hashing to prevent an attacker from cracking a password used identically with multiple accounts at once. (If two people chose “adam-slurps-soup-soulfully” as their password, the hashing operation would produce the same hash. If you add “Az” and “8J” to the front of that password before hashing, the two resulting hashes would be completely and unpredictably different.)
The only way to figure out a password with no special knowledge of the user is to feed every possible combination through the same hashing algorithm and test against the stored value. Because these algorithms are computationally “expensive” (slow) to run, it can take a lot of time (and therefore money), even when throwing a lot of GPU or cloud processing power at it.
In cases where breached passwords were salted and used sufficiently powerful modern hashing algorithms, I’m unaware of any reports of accounts being compromised. Add good two-factor authentication to the account, and exploitation becomes nearly impossible.
All that said, when you’re notified of a breach that may have revealed your login credentials, change the affected site’s password anyway: it’s only one, and you don’t know how good the site’s internal security design was.
What Should You Do?
Here’s a simple checklist of improvements you can make to keep your passwords forever secret:
- If you aren’t already, start using a password manager.
- Use the password manager to generate strong, unique passwords for every account.
- Review old accounts that contain personal, proprietary, or financial information and update their passwords using the password manager.
- Never share personal facts, like your pet’s name, when required. Instead, replace a real fact with random text that you store in your password manager for later access.
- Enable two-factor authentication wherever available.
Finally, to return to the point of this article: Don’t change a website’s password purely because you’re asked to. Only feel compelled to change it if it’s weak, if it was used on other sites, or if a breach has occurred. And, if some site forces you to change your password, generate a new one that’s strong and unique using your password manager.
Excellent article. Thank you, @glennf.
I feel it wouldn’t be quite complete without this snarky reminder about how we should set passwords (of course right before we put them into a PW manager and forget about them forever).
Because people re idiots…and for years have followed the advice by the DoD people…but even they have come around to the make it long but able to be remembered and don’t change it unnecessarily point of view.
I think the logic behind regular password changes is that data breaches happen all the time and you probably won’t find out about it until after you’ve been victimized.
So if you change your password every month, then in the worst case, the thieves have a password that will expire in a month.
Of course, this is complete BS. When a password is stolen, you can expect an attack within seconds. No thief is going to hold on to it for weeks or months before trying to use it, because they know it will be changed as soon as the data breach is made public, if not sooner.
And requirements for frequent password changes often causes people to make trivial changes each time. So “foo1” becomes “foo2” and then “foo3”, etc. If one gets stolen, it will be pretty easy to try out the next dozen combinations.
For a single password, absolutely: when phished or sniffed or socially engineered, the attacker knows they have a very limited window to attack.
My expectation is that for breaches at sites with lax security, as long as they’re encrypted, it can still take some time to start matching passwords via brute force—weeks or even months, if the breach isn’t discovered. Really, short and unsalted passwords are the biggest culprit. If a site requires, say, 12 characters and salts everything, only a targeted attack against specific accounts would probably result in any effective password recovery.
I would be more charitable and say that because most people aren’t security experts, they will follow what seems to be the best advice. So it’s contingent on people like us to spread the word to people who may refuse to believe it because they’ve been trained wrong for so long.
Though, honestly, a 16-character randomly generated password that you never type in is just great. If we retrained people to use the longest allowed password and a password manager, they can just forget all the other advice (except about not sharing passwords).
In case others misinterpret this as I initially did, a user can choose a password longer than 14 characters. A Windows 10 administrator cannot set a policy that requires users to choose passwords longer than 14 characters.
Windows also still has a policy option that requires passwords be “complex” meaning it includes at least three different kinds of characters; lowercase, uppercase, numbers, non-alphanumeric keyboard characters, other Unicode characters. Your password can’t be eight poop emojis, but it could be six plus
This just posted. The timing with my article cracks me up.
On I-95 just north of the FL/GA border is this exit that would make a great dicewords password.
Unmissable piece of comedy:
No need for charity. DoD organizations consistently undermine security by their misguided policies of forcing password changes at the most, every six months. This does nothing but add to the burden of users seeking benefits info/support or health care support, if not actively p***ing people off to use deliberately weaker passwords. Glenn’s article is excellent and spot on, and I wish government IT folks would wise up.
I wish that it was a universal option, that merchant websites all have Guest Checkout. No need to create an account unless it benefits you(perks, discounts, member bonuses…). That would be less pwds to worry about and less breach concerns.
I agree, no need to change password unless breached and never use same one twice.
I should stress that there are a ton of sites that have limits on characters and length.
There have been many times where I was ready to purchase an item but they required I create an account with password. No thanks – I have too many already. Guest checkout is very useful.
Charitable to users.
I used to be more charitable about it…but best password practices are all over the internet from smart, knowledgeable people and they just get ignored. Corporate It departments who one would imagine are run by competent people are as wrong as often as non geek users…and that’s just deliberate stupidity on their part because they do…or at least should…know better.
This is all great advice. The NCSC has a good password guide aimed at businesses that specifically advises against practices like expiring passwords, limiting length, or imposing ‘complexity’ requirements. They also have a good infographic that can be passed on to unenlightened IT departments.
The worst nuisance in the passwords area is when websites have a length limit, don’t bother telling you about it, and then silently truncate the password you create. Since you have no way of knowing that they’ve chopped off part of what you typed, you don’t know your own password. This has happened to me a few times over the years.
By the way, I don’t agree that everybody should use a passwords manager. There are alternative ways of saving passwords that are just as secure, if not more so, and I don’t like putting all my eggs in one basket. I’ve never used a passwords manager, but I assume that if your master password is lost or compromised, all your logins are now lost or compromised. (Please correct me if I’m wrong.)
There were a couple of legitimate reasons for changing a password, assuming that a hacker can steal the password hash. However, if your browser alerts you when your password hash has been posted on the web (including the dark web), you only need to change it when that happens (google-chrome does that reporting).
For a stolen hash:
If the password was composed of characters from only one or two of the possible sets of characters (lower-case, upper-case, numeric digits, and symbols), a hacker can run a brute-force effort using only one of those sets at a time, then progress to two at a time. That takes far less time than a brute-force crack using characters from all four sets. “correcthorsebatterystaple” (an example above) uses only one set (lower-case), probably the first set a hacker would try.
For any hash, changing the password means all of the time the hacker spent on trying to match the old password hash is wasted. If you use all character sets in a password, and the password is long enough, that may take a hacker years, and if you change the password once year, you’ll always stay a step ahead.
If you expect havibeenpwned to alert you to your password being hacked before it is used, then you’re going to be sorely disappointed. I can speak of this from personal experience. Meanwhile, not all companies REALIZE that they’ve been breached for a long time in order to even report it, and many are not even doing their due diligence in reporting it at all. Then you have to consider that stolen passwords are not always, despite one commenter’s opinion, used immediately. They are often packaged and sold as password and credential lists on DW and BH forums, sometimes for years, and then used for credential stuffing.
If you’re going to advocate using a password manager, then there is absolutely no reason to suggest that you should avoid taking the three seconds it takes to generate a new password every-so-often. If you’re using easily-remembered passphrases… Where? Because pretty much 90% of the internet requires users to limit themselves to ridiculously small limits, and dumb requirements of including symbols.
Although Troy Hunt (owner of havibeenpwned) makes ever effort to contact sites that he has determined to have been compromised, he does not always rely on the company to admit to having been breached before updating his site to include such compromises. Rather, he hangs out on the dark web for information on breaches being posted for sale and reports form others, then accomplishes do-diligence to determine whether possible hoax of not. The FAQ on his site gives a lot more information concerning his methods and data.
I use 1Password. I have a rescue kit printed out and locked in a safe. It will let me or my wife or son get to the info if needed. Just getting my master password won’t give access unless you also have access to one of my devices. Setting up a new device requires the use of a secret key. As is appropriate my master password is unique, memorable, and not used anywhere else.
I have over 400 passwords stored. I challenge anybody to come up with a system to remember that many passwords that isn’t crackable given that one password of your “system” is compromised.
Wow—tons of comments about Glenn’s article in Hacker News.
I heard an interview once with someone who claimed to have invented the uppercase, lowercase, number and symbol formula and regretted it because there are only 10 numerals vs. 26 letters, and a similar limit applies to the easily typed symbols. Adding a random alphabetical letter to a password makes it harder to crack than adding a number.
He recommended long phrases of ordinary words instead. Length by itself he said was the surest deterrent.
@paulbrians, he’s certainly correct about a longer password being much better (the difficulty increases exponentiallyl with the length), but it’s far better to use all sets than to increase by one character.
Here’s a little gedankenexperiment:
You’re a hacker, and you have the collection of hash values for the users in a system. The cover the gamut of password choices, from lower-case-only words to randomized sequences of lower-case (LC), upper-case (UC), numeric (N), and symbols (S). Your goal is to crack as many passwords as possible, as quickly as possible. You don’t know which passwords use only a single set (eg, lower-case).
You start by a LC-only brute-force attack. After each hash calculation, you check to see if any of the hashes have that value. If they do, you have the password. Each one-character increase in password length increases the brute-force time by 26x, so a 10-character LC-only password costs 26^10 = 1.56e+12
You end by a LC/UC/N/S brute-force attack. If we limit S to the set of 94 printable ascii symbols (0x21-0x7e), each one-char increase in password length increases the brute-force time by (26 + 26 + 10 + 94)x = 156x, so a 10-character password using LC/UC/N/S costs 156^10 = 8.54e+21 tries. A system that could crack a 10-char LC-only password in 1 minute would take about 10 millenia to crack an LC/UC/N/S password of the same length.
So if a user has added that single LC character vs adding a single N character, it’s only true that it takes a lot longer to crack if the hacker knows which set that character belongs to. But you (as the hacker) don’t care, since you’re working on cracking all of the hashes simultaneously. The first successful password cracks you’ll get will be LC-only.
I tried Elcomsoft’s “password retrieval” product many years ago (when it was Russian-based), and it was pretty snappy at LC-only cracking. Now it’s available as a GPU-based product, so probably a lot quicker. Their patents (eg US Patent for Use of graphics processors as parallel math co-processors for password recovery Patent (Patent # 7,929,707 issued April 19, 2011) - Justia Patents Search) describe a method in which the CPU provides subsets of the total range of password possibilities to each of the GPUs, after which each GPU generates the hashes and checks them against the complete list of hashes … this is pretty much what I described above, but is a parallel-processing implementation (akin to bitcoin mining on GPUs)
I hesitate to use a password manager for several reasons. If I change my password on a website on my iMac, I assume the manager won’t also automatically remember the change on my iPad and my iPhone. Or do some manage to manage multiple devices?
Say I’m traveling and am forced to change my password using my iPhone—if it’s an automatically generated obscure string of characters there’s a good chance of losing all trace if it by the time I get home.
Or—suddenly my insurance company login stopped working so I thought I’d better check “I forgot my password” and set up a new login. But it turned out the problem wasn’t the password at all. Something they did to their pages made it stop working with Chrome. It does work with Safari. But Chrome’s memorized password was now different on the two browsers. There’s no way to retrieve the new password from Chrome and use it in Safari.
I like the option when I’m creating a new password of seeing what it is, but some hide it as I type and if I make a typo I won’t know it.
Password file is encrypted locally and stored on a mutually accessible cloud server.
Modern password managers use end-to-end encryption to synchronize your changes among devices. Chrome and Google don’t offer a “modern” password manager. Apple’s Passwords featured synchronized by iCloud Keychain, 1Password (either via Dropbox local sync or using its zero-knowledge website-based sync), and LastPass are all end-to-end encrypted.
There is a thread in Mac Power Users, too.
Personally, I do not change my passwords, but use a unique Hide My Email/strong password combination for each platform. Agreed with Glenn’s points.
Any time I see a web site with expiring passwords or “security” questions, it tells me the people behind it don’t know anything about real security. Unfortunately, this includes the California Franchise Tax Board, the agency which collects our income tax. Just a couple weeks ago I had to change my expired password. And, like you, I make up random answers to security questions and put them in 1Password. Yes, I was born on Callisto, why do you ask?
All of the current worth considering managers have apps for multiple platforms and sync between devices through either DropBox, iCloud, or their own cloud services so that changing the password on your Mac changes it on your iPad/iPhone as well.
Thanks for yet another great article, Glenn. I’m a staunch 1Password user, with a family subscription to encourage my family (wife, daughters, mother) to use it. They use it pretty well, not as much as I’d like, but far better than nothing.
To folks who create a password and then enter it into 1Password… I suggest using the feature where 1Password suggests a password on the spot on the signup page. Once you learn (learn = simply do) that, there really is no excuse for not using it to create and save unique and complex passwords you will never ever type or see again.
Now, if you could have a chat with our firm’s credit card company…
In January I spent 30 minutes on my own and 90 minutes on the phone with a rep trying to figure out why they would reject a password with no actual words in it by claiming it had them. And I have to go through this process every 60 days. I finally gave up this month and let Safari general the replacement password and saved it in my Keychain.
And, does anyone know why certain characters aren’t allowed in passwords (e.g. underscores or other option or shift-option characters)?
Related to encouraging poor passwords by expiring the password:
We just went through an issue with our Costco credit card which is serviced by Citibank. The credentials that worked a few weeks earlier were being rejected.
I reached customer support on the phone. I was advised to try a password reset. The password can be 8 - 64 characters so I generated a random 64 character password, The password reset wouldn’t complete.
Finally the customer service rep asks if I’m typing the password in and I say ‘no, it’s 64 characters’. I’m autofilling from the password manager or pasting. The rep says - ‘oh that’s not supported’ - for security. And there was a recent change made to essentially block autofill/paste on the password input - which is why my credentials stopped working. (The value of the input element changes so the autofill/paste appears to work but there is a shadow value.)
Like expiring passwords, blocking autofill/paste of passwords is counter-productive.
Additionally, although Citibank broke an existing workflow with no notice or explanation, the customer rep’s position was that I was doing something inherently insecure and unsupported and therefore it can’t be a bug and I can’t have an issue with the change. Hmmm.
Thanks for raising this issue. The longer term solution is to eliminate the password as much as possible. For example, when you sign up for an account your smartphone generates a private-public key pair and shares the public key with the server. To login, you authenticate to your smartphone using Face ID, and your smartphone uses the private key to prove it is the same smartphone that registered previously. There’s no password and no secrets are exchanged. There’s nothing to phish. Two factor authentication is accomplished by something you have (your smartphone), and something you are (Face ID). The underlying standard is called “FIDO” or “WebAuthn” and Apple released a technology preview at WWDC last year (Passkeys with iCloud Keychain). Enjoy!
But sometimes there are situations (such as being overseas) where you need to use a password away from your computer and its password manager.
Yes a password of the complete alphabet and in order is harder to crack than a 8 mixed character password.
Great article. From experience in a senior community i noticed that most are vunerable not thru poor passwords, but more mundane issues easily corrected. IMHO they include - A) use real name on computer. B) do not use separate admin account name- password C) connect printers with wi fi and not complete printer security setup (when some complained that their printed stuff wound up on a neighbors printer D) not securing their own wi fi router by not changing default passwords. E) only using their full name on email accounts.
All of which make them ’ soft’ targets for phishing. Simply using an ipad and Stumbler within 30 to 50 yards of most apartments or Fing or ??? can reveal way to much for most.
Perhaps a short article on ’ Security for Seniors ’ would be worthwhile. Sometimes the local facility IT types don’t really help much.
I’m not an ex-spurt on the issues- but have used a mac since 1980- spent over 5 years in the mid 80’s on a govt Special Access program ( had to change password every 60 days while using a NON internet computer system connected by fiber optics and other security features like lining up all CRT tubes in a column to prevent reading them from the parking lot ! )
So became very sensitized to hacking issues about 40 years ago. Plus using non id email names for some things like [email protected] dot com so as not to be a soft target.
"Just cuz you are paranoid doesn’t mean someone is NOT out to get you " :))
Our iphones store all our passwords as text. I’ve never noticed that until about a year ago. Of course to view them I’d need to enter my device password, but that’s just 6 digits. We don’t use fingerprints b/c we need to access each other’s devices. People can also make you press your finger to it for some nefarious reason or because they are border control and can pick on you if they feel like it… So if I’m traveling they can access my bank account’s password? What gives?
I “canceled” my Apple two-step authentication a few times (we seem to stumble into it every time we log on) because, well, I got stuck trying to type one of our randomly generated passwords to get in, and my time expired – they locked me out. I’ve had a similar problem with my bank account… I can’t remember what I was doing wrong, just that it seems to be connected to the fact that it’s the two of us and we share stuff, and they don’t want us to. Works for me when accounts verify me with a text, the rest of the acrobatics I just don’t really get.
I use guest accounts whenever possible, and I don’t store my credit card on most sites (hoping they don’t do it on their end) and I routinely lie about my birthday and don’t easily give out personal information and use randomly generated passwords on sensitive accounts, but I find the whole landscape of user names and passwords wherever I turn exasperating. Though, I suppose, it’s only one part of the constant harassment my digital devices --and the companies that leverage them-- put me through. Computers were supposed to save us time and make things easy, but at this juncture, it feels like more and more of my time and energy is being squandered on cryptic and bureaucratic BS.
That is truly appalling for a company that should understand security. I’m not even sure what insecurity they think they’re protecting against by blocking pasting. But it fundamentally undermines the security of all their accounts. If it were me, I would cancel the card as I wouldn’t trust a company like that to get security right (never mind my low tolerance for the hassle this would cause me when trying to manage my account). But if you don’t feel you can do that, you might want to check out “Stop the Madness”. Overriding paste prevention is one of its features.
FWIW, the 1Password plugin is still working for me with Safari on the Citi website for my Costco card. But I also did cut and paste for the user ID and password and they worked fine, too. (I don’t have a 64 character password, but it still pasted fine into their website.)
They may not “support” it, but it still appears to work fine on Safari and Monterey for me.
I use ‘StopTheMadness’ and it didn’t stop this particular madness.
Haven’t made a decision yet about canceling the card, but I did make a complaint to Costco about Citibank.
Likewise, I was able to log in (via www.citi.com) using Firefox and its built-in password manager. I don’t think it uses the clipboard to fill in the password field, but it was able to insert the correct data.
The passwords are stored with encryption. When you’re prompted to enter your passcode (or if you have Touch ID or Face ID enabled and that’s an option) that’s used to decrypt the entries that are needed to display or fill it. Then the key is discarded from memory.
Six digits is likely not enough for full security, at least against governmental-scale interests in the contents of your phone. What’s largely recommended is a longer PIN or a full-scale passphrase.
I agree about the concerns related to Touch ID (or Face ID) because their uses can be coerced. As someone who lives in and travels within the United States, am not involved in political activism or international commerce, I haven’t worried much about the potential compulsion for my biometrics to be used against me. If I needed to travel outside the country, I’d strongly consider what I brought with me and disabling Face ID/Touch ID. Many people who travel to China and other countries bring burner phones and laptops and set up burner accounts before they travel so they can discard everything on their return.
Just small piece of info, you can have more than one person’s fingerprint on the same device. My wife and I have own iPads and iPhones and separate IDs but we can both unlock each other’s devices with fingerprint. I believe same applies to Face ID.(Article)
While I agree with the idiocy of preventing pastes, if you have Keyboard Maestro, you can work around it by creating a macro that consists solely of Insert text by typing %SystemClipboard%. Invoke the macro, and whatever’s on the clipboard will be typed as if you were typing it by hand.
(I imagine other text macro applications allow the same sort of thing, but Keyboard Maestro’s the only one I’ve used.)
My experience this morning is the same as @jrdodds. I wasn’t able to log into Citi’s site with 1Password or with cut-and-paste. It’s really annoying since my password is long and random. I tried both Safari and Firefox.
EDIT: 1Password still works for me; it turns out Citibank decided to invalidate my password for some reason.
Thanks for the article, @glennf. It was about 15 years ago that I started asking my employer why it required a password change every six months. As you might expect, “because” was the most intelligent answer I received.
Chase did something similar to me (not paste, but a 2FA verification method), but it didn’t inform its own reps, who had no idea that something had changed. I read about the change on a discussion forum.
FWIW, I have a note that tells me a possible workaround in Firefox to preventing pastes. The note says to set
dom.event.clipboardevents.enabledto false to enable paste if web page has disabled paste. (To do this, enter
about:configin the address line of a tab, acknowledge the warning, search for
dom.event.clipboardevents.enabled, and double-click it if it’s true.) I welcome comments about why this works and whether it’s a good idea.
Here is an article on–and link to–the interview with Bill Burr, the “former National Institute of Standards and Technology manager [who] admitted that a document he authored on crafting strong passwords was misguided.”
Thanks for the reply. I was mostly wondering about a situation involving theft or coercion – b/c in that case, wouldn’t the encryption be meaningless?
Theft, no: someone has to have access to your passphrase or biometrics. The data is stored in such a strong fashion that there’s no known feasible way, even for governments, to extract passwords from an iPhone, iPad, or Mac. Brute-force cracking only works on limited-length passwords, that has to round-trip through the actual device, and Apple is constantly patching exploits that make that easier (and suing companies that provide the service, even if they offer the service to the FBI).
Coercion: always an issue. Rare that anyone who isn’t the target of a government for illegitimate reasons (activist under a dictatorship, arrested wrongly in a democracy), an actual criminal, or being robbed in a very particular way encounters that.
SEE ALSO Never Change Your Password - #3 by glennf
I decided to reset my password for Citibank last night and entered my old password for the new password so I wouldn’t have to hassle with updating the entry in 1Password. The website didn’t complain that I was reusing an old password; it complained that the 50-character random alphanumeric password was weak because it did not have any special characters in it. After I updated to a password with symbols, filling from 1Password worked fine.
So I think the rep you spoke with might have been wrong about the reason it wasn’t working for you. It seems Citibank decided to require at least some of us to reset our passwords, but I don’t recall receiving any notice from them.
Perhaps the original (and as far as I can see, the only valid) reason for expiring passwords is because of the risks of shoulder surfing. This could have been a real issue in open-plan offices or where screens are visible by clients. There is a real risk that your password will eventually be seen by someone who wants to get it (ie by looking at your fingers on the keyboard). Any parent will tell you that it is not easy keeping passwords or PIN codes secret…
Not to mention the risk from video surveillance. Any time you enter your password in a space where there might be cameras, you risk someone accessing the video and figuring out the password from your keystrokes.
Then there is inadvertent visual disclosure - accidentally typing the password in the user or other plain text field. There is a risk someone sees (or it is captured on video).
Of course, using password managers eliminates that risk.; the password never appears in plain text in ordinary operation. with the appropriate plug-in or extension for a browser. the password recognizes the URL, and either on its own or once you start typing a user id, fills in the the rest of ueerid and the password makes by '*'s. If you let the manager create the password, you also can see it only on request. If you need to copy it and paste it into a password field, that too is totally masked. At worse, the snooper will only ge able to determine its length.
Join the discussion in the TidBITS Discourse forum