How often Should You Change Your Passwords?
Answer: Not as often as you think…
You’ve probably heard the common advice to change all your passwords every three months. However, we are here to tell you that this may not be as helpful as you think. It might actually be harmful. The National Institute of Standards and Technology (NIST) no longer recommends regular password changes. You should change them only when something significant has happened that triggers the need to update it.
So let’s look at why you shouldn’t change your password frequently and the situations where you should update it.
Why you shouldn’t change your passwords regularly
Changing passwords too much means inevitable compromises
Assuming you are using your memory to retain all of these complex, long passwords (you don’t write them down anywhere…right?), it becomes quite a challenge to constantly create and remember new ones, unless you have a photographic memory. Naturally, this leads to shortcuts, and over time, the risk of compromise increases. A common habit is to slightly modify passwords, like adding a number at the end and incrementing it with each change, which unfortunately weakens their overall security.
It’s much better to have a bunch of unique, long and complex passwords that never change, rather than weak ones that change regularly.
You don’t actually gain anything
Assuming your complex, long and well defined password isn’t compromised, you gain nothing by substituting it for another equally unique and complex password. Both are secure passwords so you haven’t achieved any extra security doing this.
When should you change your password?
Answer: After something happens that requires you to change it.
Let’s define what these circumstances are.
After finding evidence of unauthorised usage of your account(s)
You will often receive an email when a new device (unknown to the login portal) is used to log in for the first time successfully.
If you receive such a warning, and you didn’t initiate the login, this is an obvious red flag. Firstly check that it isn’t a phishing scam which is designed to steal your credentials when you log into a cloned web portal. They can look very realistic but the email will usually be a giveaway, for example the email address it is sent from can often look suspicious and not what you’d expect from the organisation it is trying to imitate. If it’s a Gmail address rather than a business email, it is likely a scam.
Assuming it is genuine (99% of them won’t be), you should immediately log in and change your password. This will boot out the hacker’s successful login and make your account secure again. Time is very much of the essence with this and you need to login and change your password before the hacker is able to change your password and lock you out of your account.
Using two-factor authentication (2FA) is a great way to guard against a hacker and adds an extra layer of protection. It significantly reduces the chance of a hacker being able to exploit any compromised passwords they may discover.
After a data breach
This is a situation where, due to the successful hack of a computer network that contains your personal account information (sometimes including clear-text passwords) has been compromised.
Hackers often try using a process called ‘credential stuffing,’ where an automated bot system attempts to use your hacked credentials on thousands of websites and login portals. This tactic takes advantage of the fact that many users reuse the same password across multiple accounts. By using unique and complex passwords for each login, you can prevent yourself from being a victim of ‘credential stuffing’ and reduce the risk of your accounts being compromised.
After logging into your account(s) on someone else’s device
Who knows what keyloggers or other nasty software could be lurking on a device you don’t own? The best approach is don’t do it, but if you must, then it’s best to change at least that one password straight after. If you have used the same password elsewhere, change it in the other web portals as well.
After logging into your account(s) through a public/unsecured network
In such a network, other users may well be able to see what you are typing in or looking at. If you need to use one of these networks, you should change any passwords you have entered afterwards.
Tips for creating strong passwords
When choosing a secure password, it can feel overwhelming where to begin. Here are some helpful tips for creating a strong password.
Include a variety of characters: Combine uppercase and lowercase letters, numbers, and special symbols (e.g., !, @, #, %) to make your password more difficult to crack.
Avoid commonly used words and patterns: Easy to guess numbers like ‘12345’ or words like ‘password’ and ‘qwerty’ should all be avoided. Some of the most frequently hacked passwords contain these.
Use a password manager to store and save passwords for you: This saves you having to remember all your different passwords. There are several available that are gaining in popularity. Apple, Android and Microsoft all attach password managers to browsers and/or operating systems.
Use two-factor authentication (2FA): This system stops hackers using your compromised credentials by requiring a second form of verification before allowing you to login. It is often a code sent to your mobile or email. Even if your password has unknowingly been compromised, unauthorised access is blocked without the second form of verification.
Don’t reuse passwords or use related ones: Every account should have its own, complex password. Having the same password or similar ones across different accounts means if one password is compromised, you risk multiple different accounts being hacked.
If you’ll struggle to remember all the different ones, use a password manager as mentioned above.
Let Apple or Android tools generate them for you: There are tools that can generate random and complex passwords for you. You can then save these to your device using a password manager.
Make the password long: 12–16 characters is the recommended length for a strong password.
How Can SES Help?
With so many new threats, staying secure online is more important than ever. Our Managed Cyber Security Services can help protect your business from the ever growing number of cyber threats.
Contact us to see how we can help you stay safe online.