What you should know about changing your password too often - but is this really the problem with passwords?
Passwords – now, that's a topic which has been at the forefront of the industry for the last couple of years. Whether we discuss the most secure and efficient way to store them, how to manage and create them or if someday soon enough they'll be completely replaced by biometrics, traditional passwords are a buzzword in information security.
Industry experts, regular users or fraud prevention passionates often challenge themselves and try to tackle new emerging threats and come up with improved countermeasures. In this ever-changing world, with all the disruptions in the modern economy, particularly technology, it is critical to acknowledge that information security is not a project, but an evolving process.
And, as every evolving process, it changes a lot and most of the times it requires new measures to mitigate risks. As Chief Technologist Lorrie Cranor also states it "what was reasonable in 2006 may not be reasonable now". Lorrie conducts research on how to make passwords more usable and secure and she mentions that a new question is on everyone’s lips lately. How often should we change our password?
Change your password periodically. How many of us haven’t seen or heard this recommendation from security experts? And of course we did as we were told to. I still do. For some of my accounts, I change my password regularly. But can this really help me in case there's an attack?
The answer is both yes and no. This preventive measure is aimed at reducing the risk of already stolen passwords being cracked and used. What does it mean exactly? Well, passwords are usually stored in hashed form to protect them against attackers. Once stolen, these hashes will have to be interpreted, which can take a while. Changing your password in this interval might definitely make your account safer and prevent attackers from accessing it.
However, there's a catch. Even if you change your password regularly, you still might be at risk. Because, as Lorris Cranor discovered, people who change their passwords on a regular basis tend to choose similar ones to make sure they won't forget them. And this makes it quite easier for hackers to break and use them to gain access to sensitive data. Thus, changing your password frequently is useless if you don't choose an entirely different and complex one that's not easy to break.
On top of that, attackers who have gained access to the hashed passwords and are able to find out that users change them regularly can easily guess a password even if it has been changed. Another aspect that needs to be taken into account is that having multiple passwords and changing them often might turn out to be difficult to manage for some people, even with all those password managers. Poor password management also makes us all susceptible to fraud.
Therefore, is it counterproductive to change passwords often? No, not necessarily. Yet, it might turn out to be, if other things are not considered. Once you change your password, make sure you do not create a predictable one. Yes, it is indeed difficult and frustrating to include both upper and lowercase alphabetic characters, at least one numerical character and one special character. I can most certainly relate to this, I am in physical pain each time I need to create a new account. But I always think it is for my own safety and I struggle to find passwords that are strong.
Do not fall into the trap of thinking you could use words or expressions that can be found in a standard dictionary or that you could replace letters with numerical or special characters. These are the most breakable passwords. Nonetheless, I believe it is important to mention that certain experts concluded that multi-word phrases make more secure passwords that a combination of special characters. These special characters might seems difficult, but they are only difficult to remember for users, while attackers can break them quite easy. Hence, if you're changing your password, often or not that often, do it in a smart way.
At the same time, you should always replace your password if you think it might have been stolen. If you tend to re-use passwords on multiple accounts, it would be a good idea to also change them from time to time.
So, how often do you change your passwords? Do you have any other best practices when it comes to passwords?