Advent of Security: Day 2 - Key Rotation (password reset)
On the second cyber-mas day my true love gave to me: a key rotation and a clean cache with no more cooooooo-kiiiiiiiiiiiiiies
Key Rotations and for the uninitiated: Password Changes
All you uninitiated cyber-secure individuals will understand the dreadful day that the little IT notification pops up on your screen or into your inbox asking you to change your password. See the addendum, but this is an important part of your digital hygeine. A good password makes a secure login, and a better password is just called a key.
A key is normally made by running a one-way function like ed25519 (an elliptical curve) to create a long string of characters called a private key and a public key. You can read more about how this works here and here
Changing passwords is exactly the same as changing keys: a hassle, but often IT departments will keep a single key on file for a service for a long time. You can probably guess how that would be bad if a bad actor stole said key, because now they can access everything you could normally access with the key. Often without a username.
So for my technically initiated readers, take this as a reminder to rotate your keys. It isn't going to take near as long as you think, spend an hour and move on, honestly.
For the technically uninitiated, take this as a reminder to check if your passwords or accounts got pwned, which you can check on this site
Addendum
Recently the NIST published a change to its password recommendation framework: you don't really need to change your password like IT says you do, but MAKE SURE IT IS LONGER THAN 16 CHARACTERS and change it if there is any evidence it has been compromised. I suggest using a password manager!
Links
- My preferred password manager: Passbolt
- Government of Canada password recommendations: GC
- Check if you've been pwnd
- Identity security if you got pwnd