A few years ago, it was considered safe to change passwords after a certain period, say, three months. System administrators and software developers forced everyone to follow this rule, and people meekly changed their passwords at regular intervals. And it was considered safe, even very. But there are some nuances in this strategy.
Research and observations have shown that when people are regularly and scheduled to change their passwords, they start writing them down on paper, in notebooks; to the old password, add a character (it was MyPassword1, it became MyPassword2, then MyPassword3), etc.
If an attacker gains access to one of these passwords, he can easily predict what the password will be in six months or a year, which will allow him to continue using the victim's data without additional effort. And the victim will change the password only when it's time for another change.
And how is it accepted now? It's simple: if you suspect that the password has been stolen, you will want to act immediately, rather than waiting for the expiration date to fix the problem.
For example, if you entered the password from the mail somewhere in a public place where surveillance cameras are installed, it is better to change the password. I had to log in to my Facebook account on someone else's device; it will be safer to update the login details.
Many users use devices at home during quarantine, and if you haven't been the victim of a phishing attack or installed any suspicious software, you don't have to regularly change your password. This should only be done if you suspect that someone may have obtained data to log in to an account.
Of course, it is necessary to follow the rules of unique password (one account a separate password), length (the longer, the better), and the absence of any personal information (without any year of birth and maiden name of the mother).
Today, these rules of conduct are considered the norm, taking into account the previous experience of using passwords. Still, soon they will be revised, and the conclusions with recommendations will be different. Stay tuned.
As for the technical component, it is also full of surprises. For example, it used to be enough to "pixelate" or "blur" important information (passwords, numbers, addresses, etc.) on any electronic document or screenshot and publish it in the public domain.
Now almost any user can try to recover the hidden password in the screenshot using the Depix tool. True, there were similar tools five years ago, but less effective.
Yes, the accuracy may not be the highest initially, but, say, knowing the exact meaning and sequence of 8 password characters out of 12 is almost a victory. This password will be straightforward to crack by picking up missing values.
This method's effectiveness will constantly increase with training and mass use, and eventually, the technology will spread to other ways of hiding information, such as "blocking."
It is likely that shortly, based on this algorithm, there will be chatbots or applications in which you can attach images with pixelated text and get a decrypted version.
What to do in this case? Change your behavior and tools. Stop publishing documents containing sensitive information altogether. If it is still necessary, cut the document, hide the data by painting, no pixelation, etc. Well, search clean all your old posts where you pixelated something.
So, do everything once and relax; it will not work. The field of digital security is very dynamic, so it needs your close attention.