Password security has been coming up a lot lately, especially with the pandemic forcing people to work online from home. Naturally, one of the questions a lot of people ask is how often they should change their passwords.
Well, you’ll be surprised to know that frequent password changes aren’t actually a good thing. In fact, they might do the opposite of provide good security by forcing people to pick similar passwords out of frustration. So right off the bat, that’s some advice you should take to heart.
The Problem with Frequent Changes
For a very long time, the accepted timetable for password changing was essentially every 30, 60 or 90, days, so basically once every 3 months or so. Sadly, that has caused an absolutely massive problem, especially with businesses that force these frequent changes. Even Wired touched up on the same exact issue of not changing passwords often.
Now, employees and people in general need to memorize more and more passwords, making people even less likely to create secure and long passwords, and we can’t blame them.
Of course, there is a certain logic behind these recommended changes, at least there was at the time. The more often you change the password, the less likely that password is going to be cracked, correct? Actually, no, it makes the situation worse.
You see, people will ultimately just end up making some minor variation of the previous password when they are forced to create new ones so often.
Not only that, but imagine that you’ve just started work or are in the middle of something, and you suddenly get prompted for a password change. Needing to get on with it, you might pick something easy and really memorable, which will likely be something that can be easily guessed.
Recently, the NIST, that’s the National Institute of Standards and Technology, came up with some guidelines for when to change passwords. They themselves admit that there’s a big problem with frequent password changes, and suggested things such as lowering the frequency of password changes, as well as decreasing password complexity.
Another thing they advocate is to use longer but easier-to-remember, such as ones using several words. Similarly, companies and websites shouldn’t force password changes randomly or arbitrarily, and should have a good reason behind it to motivate employees to keep up.
They also talk about companies trying other things to mitigate a potential leaked password, such as two-factor authentication. There’s actually a lot of ways to protect information besides just focusing on a text password.
Best time To Change Your Password
Alright, so if every 30, 60 or 90 days is not the best time to change your password, then what is?
Well, first and foremost, if the service you are using has disclosed a breach, that’s an immediate password change right there. Similarly, if you receive a notification that your account has been accessed and you didn’t do it, that’s another immediate change as well. In fact, if you receive a two-factor authentication request without having made one, that’s probably another time to change your password as well.
In terms of local issues, if you find a virus or malware on your computer that’s been running rampant for a while, you’ll want to change your passwords as they’ll likely be compromised. That being said, I do want to clarify that if you have a good anti-virus running and it catches a virus or malware before it takes effect, you don’t have to worry. Also, if you’ve recently logged into a public or shared computer, it might be a good idea to change your password, since you don’t know what was running on that computer, and it may very well have had a keylogger.
If you’ve shared a password with somebody else you might want to consider changing it. If it's a shared account that they still use, make sure you aren’t using that password anywhere else. On the other hand, if they don’t use it any more, then there’s no harm in changing the password for the sake of security.
Finally, there actually is a good period of time after which you should change your password: one year or so. It’s a good amount of time that lies neatly between being just short enough that you aren’t feeling forced to make a new password (and therefore a bad one) and just enough that you might start considering it a risk to your account security, especially to things like ransomware or a pharming attack.
Great Tips For Changing Your Password
Alright, so now you know when to change your password, what's the best way to go about it?
Here’s some tips:
Use a password generator if you can’t come up with a good combination of 12 or 16 character passwords (which, yeah, it’s pretty difficult).
Since we don’t all have excellent memories, consider using a passphrase instead. Essentially that’s a string of words that sort of make sense put together. For example “Twenty Tots Sit On The Train” which is 23-characters long and is easily memorable.
You should absolutely get a password manager, as it allows you to store lots of complex passwords and add another layer of security. The master password you use can be incredibly long and complex, although don’t let that lure you into a false sense of security, you should still use the best practices mentioned above. Check out this guide on choosing the best password manager if you need a little help deciding which product is right for you.
Stop reusing passwords. This is a big one as well, since if they’ve gotten an old password, I assure you they will try it, as well as any variations of it.
If the service or website you use has two-factor authentication use it. It’s a strong layer of security you can add for relatively little hassle.