How often do you change your password? We bet some of your credentials are more than a decade old.
In fact, most of us only change our passwords when a situation forces us to. Typically, that’s either when you can’t remember it, or an app or your company forces you to create a new one every few months.
So, which approach is right? Should you leave your password untouched for years, or should you change it as often as the seasons? Here are the pros and cons of changing your password too frequently.
It Makes Your Account (a Tiny Bit) More Secure
The argument suggests that if you’re the unwitting victim of a leak, changing your password regularly can quickly negate the details that a would-be hacker has on file.
Similarly, if someone gains access to your password without your knowledge, it prevents the person snooping on you for an extended period. It’s why IT Managers around the country are so obsessed with foisting forced resets on you every couple of weeks.
Is the argument valid? Yes, but it’s not as clear-cut as you might expect. Even on the assumption that your new passwords are as strong as the previous ones (more on that shortly), the practice has minimal benefit.
In a Carleton University paper, the researchers explained that attackers who have access to a hashed password file can perform attacks while offline. They can, therefore, test large numbers of passwords in a short amount of time. Weak- and medium-strength passwords are at risk.
The paper goes on to mathematically prove that even frequent strong password changes only hampered the attacks a negligible amount. The benefit is almost certainly not worth the inconvenience it brings to users.
Instead, the paper recommends that system administrators should use slow hash functions such as bcrypt. Users would not be inconvenienced, and the process makes it harder for attackers to guess a large number of passwords quickly.
Your New Password Is Likely to Be Insecure
I’m sure you don’t need us to tell you how to create a strong password, but the information is always worth repeating:
- Your password should use a mix of letters and numbers.
- It should use some uppercase and some lowercase letters.
- Ideally, it should contain special characters.
- It should be more than 12 characters long.
Those four points are easier said than done. Creating passwords that fulfill all the requirements — and then remembering them — takes a lot of mental energy.
So, what happens when people change their credentials too frequently? In short, they get lazy.
Again, it’s a scientifically proven phenomenon. In 2010, researchers at the University of North Carolina released a paper titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.” In it, they studied password histories from defunct accounts at the university.
The study looked at more than 10,000 old accounts and 51,141 passwords. The researchers performed an offline hash attack and ultimately cracked 60 percent of the credentials. From the 60 percent, 7,752 passwords were not the final password used on the account.
They then used that data set to see if they could extrapolate other passwords connected to the account. The results were amazing. In 17 percent of cases, the next password used on the account could be guessed in under five seconds.
But why? The study concluded that people tended to make very minor alterations when changing a password frequently. For example, Sausage123 might become $ausage123, hellocheese! would become hellocheese!!, and so on.
Frequent password changes are bad…
- …if your users are going to pick simple passwords to compensate for the frequent changes — to make their passwords easier to remember.
- …if your users are going to write their passwords down (especially if they’re writing them in places that are not at all secure).
- …if your users are going to forget their passwords when they change them, adding dramatically to the number of tickets that your tech support team is going to have to handle.
Frequent password changes are good…
- …if they prevent captured passwords from being used.
- …if the practice lessens the chance that your users will employ the same password for many different sites (more trouble to keep them in synch).
- ..if being required to change passwords periodically makes it less likely that your users will share their passwords.
One important issue to guard against weak passwords is that, no matter how frequently passwords are changed, most systems today provide some way to set complexity requirements that dictate password parameters such as length, mix of characters, re-use of previous passwords, similarity to common words, etc. For example, the practice of swapping certain characters for others that have a similar look — @ for a, 0 for o, etc. and mixing case — is not likely to pass the systems’ password checking routines if that’s all you do.
Password complexity requirements are important. On the other hand, the complexity mandates are likely inadequate when it comes to protecting your users’ passwords against the ever increasing cleverness of password guessing and cracking tools. Maybe they won’t let you get away with “P@ssword2” because it’s too similar to a dictionary word, but will they be OK with “NapTime@2PM”? Is that a good password? It used to be. But now? Read on and judge for yourself.
So When Should You Change Your Password?
At the start, I joked that you probably have some passwords which are approaching their tenth birthday. But is that a joke?
The evidence we’ve looked at so far appears to suggest long-standing passwords might actually be a good thing. What’s the truth? You just need a bit of common sense.
And if you think you’ve accidentally become the victim of a phishing scam, you should change your password.
In all cases, you need to make sure your new password has no resemblance to the old one. Don’t use the same core word. Don’t put the same special characters in the same positions. And don’t try something like writing your old password backward.
And remember, you should also change your password across any other accounts with use similar credentials. For example, if your Facebook password is flowerpot1 and your Twitter password is 1flowerpot, you should change them both.
If you’re not sure, just follow the four fundamental guidelines we discussed earlier in the article when you make a new password.
What About Forced Password Resets?
But what about forced password resets? Is it a good idea for an app or your employer to force a new password upon you? Probably not.
In 2009, The National Institute of Standards and Technology said regular password changes were “beneficial for reducing the impact of some password compromises,” but were “ineffective for others.” And, of course, users were frequently left frustrated by the forced change. Companies need to reach a compromise between security and usability.
The Bottom Line
The arguments might sound complex, but they are easy to summarize.
- User-initiated frequent password changes might make users marginally more secure, providing the new password is highly robust.
- Enforced frequent password changes often have a negative effect, with users choosing less secure credentials.
Now we want to hear your thoughts on the debate. Are you confident in your ability to choose a secure password on a regular basis? Or are you happy using a decade-old password on all your accounts?
Remember, if you do frequently create complicated new passwords, you use a password manager app like LastPass. You won’t need to recall the passwords yourself.