<prologue>
I started a blog called “The Baby Boomer Generation’s Miscellaneous Blog”(Dankai-sedai no garakutatyou:団塊世代の我楽多(がらくた)帳) in July 2018, about a year before I fully retired. More than six years have passed since then, and the number of articles has increased considerably.
So, in order to make them accessible to people who don’t understand Japanese, I decided to translate my past articles into English and publish them.
It may sound a bit exaggerated, but I would like to make this my life’s work.
It should be noted that haiku and waka (Japanese short fixed form poems) are quite difficult to translate into English, so some parts are written in Japanese.
If you are interested in haiku or waka and would like to know more, please read introductory or specialized books on haiku or waka written in English.
I also write many articles about the Japanese language. I would be happy if these inspire more people to want to learn Japanese.
my blog’s URL:団塊世代の我楽多(がらくた)帳 | 団塊世代が雑学や面白い話を発信しています
my X’s URL:団塊世代の我楽多帳(@historia49)さん / X
Salaried workers are often asked to “change their passwords periodically” on their company computers.
Also, if you use Internet banking, you are likely to be asked to “change your password periodically” as well.
Such frequent password changes are said to cause “password fatigue” (also called “pass fatigue” for short).
Recently, it is often recommended to double check by adding a “secret question” or to use a “one-time password”.
1.Policy Change to “No Need to Change Passwords Regularly
(1) Japanese Government
However, in March 2018, the Ministry of Internal Affairs and Communications changed the content of its “Information Security Website for Citizens” to include the following
Depending on the service you use, you may be required to change your password on a regular basis. However, if your password is actually broken and your account is hijacked, or if there is no fact of leakage from the service side, you do not need to change your password. Rather, the problem is that regular password changes can lead to passwords becoming patterned and easy to create, and to their being used over and over again.
(2) Microsoft Corp.
Microsoft has discontinued the “Password Expiration Policy” in the security baseline in the next major update of Windows 10, the May 2019 Update (commonly known as 1903 or 19H1) and Windows Server 1903.
2. the danger of changing passwords regularly
The dangers of changing passwords on a regular basis have long been pointed out in various fields.
(1) U.S. security experts
In August 2016, the Nihon Keizai Shimbun reported that “Laurie Kleiner, chief technologist at the Federal Trade Commission (FTC), said at a security conference in Las Vegas, ‘The common belief of regular password changes is completely wrong.
When asked to change their passwords frequently, ordinary people often limit their changes to “changing lowercase letters to uppercase” or “adding a single letter to the end of the password” or “using a previously used password,” and hackers can easily spot such “conversion” patterns.
(2) U.S. Government
In May 2017, Newsweek (Japan) reported, “The U.S. e-authentication specialist has decided to stop recommending regular password changes. End users should eventually be asked for a new “passphrase” as a replacement”.
The rules will be changed starting with the new edition of “Guidelines for Electronic Authentication” issued by the National Institute of Standards and Technology (NIST), an American standards and standardization organization.
In addition, NIST recommends “passphrases” that are at least 64 characters long and can include spaces, instead of stopping regular password changes.
The advantage of a short phrase is that it is easy to remember even if it is long, and the large number of digits makes it difficult to decipher.
3. information leakage case in which strict password management had the opposite effect
(1) The “notepad” containing “complex and random passwords” was intercepted
(2) The employee had “memorized” the “complex and random passwords” but used the same passwords for both company and personal use.
(In case (1), a fellow employee who was dissatisfied with the company stole the password, leading to a leakage of company information, and in case (2), personal information and passwords were stolen from one of the Web sites.
4. How should we respond?
So how should we respond?
As far as I know, many financial institutions require the use of “one-time passwords” using tokens for online banking. I think this is the safest and most secure way.
Some financial institutions also use a series of “secret questions” in addition to the password.
However, so far, no financial institution or Internet site asks for a “passphrase”.
(1) Bad and good passwords
①Bad passwords (I think these days they are often rejected at the point of setup)
Phone number, zip code, car number
Date of birth
Employee number
②Good passwords
Good passwords are those that do not use personal information such as names.
No English words.
Mixed alphabets and numbers
Strings of appropriate length.
Any easy-to-recognize and easy-to-order passwords.
(2) Password storage methods
It is difficult to always memorize multiple inorganic passwords that have no meaning at all, and many people unavoidably leave them on memos, USBs, etc.
Even in such cases, the basic premise is to store and manage them in a separate location from the computer or terminal, preferably in a locked desk or safe.
(3) Use the latest version of reliable virus software
Although anti-virus measures are like playing a game with hackers, it is still recommended to use the latest version of reliable virus software.
By the way, I use “Virus Buster Cloud” by Trend Micro. I am also a member of “Digital Life Support Premium”. With this, they are available 24 hours a day, 7 days a week, so I can rest assured that they will support me if I have any suspicious issues. They can be reached by phone, email, or on line. They can also help you with questions about setting up and operating your computer or smartphone.
Note that installing more than one virus software will have the opposite effect.
If you already have virus software installed, installing another virus software will not strengthen your virus protection, but will cause the software to “bat” against each other, which is counterproductive.