How often should you change your passwords?
Tech

How often should you change your passwords?

8 Min Read

Digital security

And is that actually the right question? Here’s what else you need to consider when it comes to keeping your accounts safe.

April 3, 2024

,
5 minutes. read

passwords changes frequency

There has been a lot of talk in recent years about the growing potential of passwordless authentication and passkeys. Thanks to the near ubiquity of smartphone-based facial recognition, the ability to log into your favorite apps or other services by looking into your device (or some other method of biometric authentication) is now a refreshingly simple and secure reality for many. But it’s still not the norm, especially in the desktop world, with many of us still relying on good old passwords.

This is where the challenge lies – as passwords remain a prime target for fraudsters and other threat actors. So how often should we change these credentials to keep them secure? Answering this question may be more difficult than you think.

Why password changes may not make sense

Until not so long ago, it was recommended to change passwords regularly to reduce the risk of secret theft or cracking by cybercriminals. The wisdom received was somewhere between 30 and 90 days.

However, times are changing and research shows that frequent password changes, especially on a regular schedule, do not necessarily improve account security. In other words, there is no one-size-fits-all answer to the question of when you should change your password(s). Plus, many of us have too many online accounts to easily keep track of, let alone come up with (strong and unique) passwords for each of them every few months. Furthermore, we now live in a world of password managers and two-factor authentication (2FA) almost everywhere.

See also  OnePlus Pad Go Review: Affordable Media-Focused Tablet

The former means it’s easier to store and remember long, strong, and unique passwords for each account. The latter adds a fairly seamless extra layer of security to the password login process. Some password managers now have dark web monitoring built in to automatically flag when credentials may have been compromised and distributed to underground sites.

In any case, there are some compelling reasons why security experts and globally respected authorities, such as the US National Institute of Standards and Technology (NIST) and the UK’s National Cyber ​​Security Center (NCSC), do not recommend that people be forced to change. their passwords every few months unless certain criteria are met.

The reasoning is quite simple:

  • According to NIST: “Users tend to choose weaker stored secrets if they know they will have to change them in the near future.”
  • “When these changes occur, they often select a secret that is similar to their old stored secret by applying a series of common transformations, such as increasing a number in the password,” NIST continues.
  • This practice gives a false sense of security because if a previous password is compromised and you do not replace it with a strong and unique password, the attackers can easily crack it again.
  • According to the NCSC, new passwords, especially if they are created every few months, also have a greater chance of being written down and/or forgotten.

“It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What seemed like perfectly sensible, long-standing advice, does not, as it turns out, withstand a rigorous systems analysis,” the NCSC said. argues.

See also  ShinyHunters revive BreachForums shortly after the FBI's takedown

“The NCSC now advises organizations not to force the regular expiration of passwords. We believe this reduces the vulnerabilities associated with frequent password expiration, while doing little to increase the risk of long-term password misuse.”

When should you change your password?

However, there are several scenarios that require a password change, especially for your most important accounts. These include:

  • Your password was discovered in a third-party data breach. You are likely to be notified of this by the provider itself, or you may have signed up for such alerts on services such as Have I Been Pwned, or you may be notified by your password management provider who runs automated checks on the dark web.
  • Your password is weak and easy to guess or crack (that is, it is on a list of most common passwords). Hackers can use tools to try out common passwords for multiple accounts in the hope that one of them works – and more often than not, they succeed.
  • You have reused the password for multiple accounts. If any of these accounts are compromised, threat actors could use automated accounts “credential stuffing” software to open your account on other sites/apps.
  • You have just learned, for example, thanks to your new security software, that your device has been compromised by malware.
  • You have shared your password with someone else.
  • You just removed people from a shared account (for example, former roommates).
  • You are logged in on a public computer (for example in a library) or on someone else’s device/computer.

Best practice password advice

To minimize the chance of account takeover, keep the following in mind:

  • Always use strong, long and unique passwords.
  • Save the above in a password manager that has one master credential for access and can automatically recall all your passwords for any site or app.
  • Monitor password breach alerts and take immediate action after receiving them.
  • Enable 2FA when available to give an extra layer of security to your account.
  • Consider enabling passkeys when offered for seamless, secure access to your accounts from your phone.
  • Consider regular password audits: Check the passwords for all your accounts and make sure they are not duplicates or easy to guess. Change weak or repetitive messages, or changes that may contain personal information, such as birthdays or pets.
  • Don’t store your passwords in the browser, even if it seems like a good idea. That’s because browsers are a popular target for threat actors, who can use information-stealing malware to intercept your passwords. It would also expose your saved passwords to anyone else using your device/computer.
See also  Carson Lund presents Fortnight Pic 'Eephus from directors such as Tale of Change

If you don’t use the random, strong passwords suggested by your password manager (or ESET’s password generator), please refer to this list of tips from the US Cybersecurity and Infrastructure Security Agency (CISA). It is recommended that you use the longest allowed password or passphrase (8-64 characters) whenever possible, including upper and lower case letters, numbers, and special characters.

The hope is that password keys – with the support of Google, Apple, Microsoft and other major players in the technology ecosystem – will eventually bring an end to the password age. But in the meantime, make sure your accounts are as secure as possible.

TAGGED:
Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Travel

Real-estate

Must Read