Why change passwords periodically?
Changing passwords periodically is the conventional wisdom. I’m unconventional, and explain why.
I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment. Do you have a view on how to build such a good routine?
As you say, routines for things like this are difficult to set up, and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available — at least not in a convenient form.
But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.
Password value over time
Conventional wisdom is that you should change your password “every so often”.
When I sat down to think about why, I couldn’t come up with a good reason.
There’s nothing about the age of a password that necessarily makes it lose its quality over time.
The vast majority of password-based hacks are due to weak passwords, sharing passwords when you shouldn’t, and technology-based compromises, like viruses or keyloggers. They get your password right now without regard to its age. Whether you changed it yesterday or last year, these compromises simply get your current password.
And, as I said, these are probably the most common forms of individual password theft.
Periodically changing your password can add a small layer of security to avoid some less common threats: someone stealing an old database of accounts and passwords, perhaps. Or someone finding your notebook from last year where you’d scribbled your passwords down. These kinds of things can and occasionally do happen — just not nearly as often as the more common compromises above.
Keeping a password safe
The steps to keep your account safe with respect to your password would be, in priority order:
- Choose a good password. Longer is better. If you’re still using an eight-character password, it’s not long enough; passwords should be at least 12, and ideally 16 or more, characters long.
- Tell no one. After starting Ask Leo!, I was surprised to learn how often people that shouldn’t share passwords frequently do. Then they’re surprised when their friend is no longer their friend, or their spouse is no longer their spouse, and suddenly their email, Facebook, or other account is compromised.
- Don’t write it down. Yes, make it a good password, but either make it something that you can remember, so that you don’t have to write it down, or use a password manager application (like LastPass) to remember it for you.
- Don’t use the same password on multiple sites. When you do, you allow a compromise of one account to impact all your accounts using the same password. Hackers know that people do this, and they absolutely do try to see if you’re one of those people.
- Remember that changing your password is not enough if your account gets compromised.
- Consider adding two-factor authentication to further protect important accounts.
When to change your password
There are some situations where you definitely do want to change your password, but they’re not tied to any schedule or length of time.
- Change your password if you realize that you’ve selected a poor password — be it easy to guess, or too short. Choose a better, more secure password.
- Change your password at the first hint of strange activity on your account. If your account has been hacked, doing this immediately is step one. Then take additional steps to secure your account as well.
- Change your password for an account if you hear reports of, or are notified by, a service having been compromised. If you’ve been using that service as the alternate account for one of your other accounts, consider changing that other account’s password as well.
Automating the process
So, how to automate it?
I don’t really have a good solution on “building a good routine”, as you put it.
But as you can see, I’ve also come to the conclusion that perhaps that routine isn’t really as important as we’ve been led to believe.
The power of determination
I’ll end this with a story I’ve seen happen (and have also overheard in an episode of Security Now!):
A company had configured its Windows logins to require a new password every certain number of days (30, 60, or 90 days seems to be common; I’ll say 30 for example’s sake). It had also configured the system to require that you not re-use your last five passwords. You had to come up with a new one each time.
So one individual, every 30 days, would change his password six times in succession so that his current password would be forgotten by the system and he could use it again.
Yes, he changed his passwords six times in a row, so that he could keep his favorite password unchanged.
Users can be … innovative … at getting what they want.
This article originally appeared on Ask Leo! where you’ll always find updates as well as the most vibrant discussion. For the latest, subscribe now to The Ask Leo! Newsletter and get a copy of The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition. This ebook will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.