Are Frequent Password Changes Actually Good for Your Security?
How often do you change your password ? We bet some of your credentials are more than a decade old.
In fact, most of us only change our passwords when a situation forces us to. Typically, that’s either when you can’t remember it, or an app or your company forces you to create a new one every few months.
So, which approach is right? Should you leave your password untouched for years, or should you change it as often as the seasons? Here are the pros and cons of changing your password too frequently.
It Makes Your Account (a Tiny Bit) More Secure
The generally received wisdom is that changing your password frequently makes your account more secure .
The argument suggests that if you’re the unwitting victim of a leak , changing your password regularly can quickly negate the details that a would-be hacker has on file.
Similarly, if someone gains access to your password without your knowledge, it prevents the person snooping on you for an extended period. It’s why IT Managers around the country are so obsessed with foisting forced resets on you every couple of weeks.
Is the argument valid? Yes, but it’s not as clear-cut as you might expect. Even on the assumption that your new passwords are as strong as the previous ones (more on that shortly), the practice has minimal benefit.
In a Carleton University paper, the researchers explained that attackers who have access to a hashed password file can perform attacks while offline. They can, therefore, test large numbers of passwords in a short amount of time. Weak- and medium-strength passwords are at risk.
The paper goes on to mathematically prove that even frequent strong password changes only hampered the attacks a negligible amount. The benefit is almost certainly not worth the inconvenience it brings to users.
Instead, the paper recommends that system administrators should use slow hash functions such as bcrypt. Users would not be inconvenienced, and the process makes it harder for attackers to guess a large number of passwords quickly.
Your New Password Is Likely to Be Insecure
I’m sure you don’t need us to tell you how to create a strong password, but the information is always worth repeating:
- Your password should use a mix of letters and numbers.
- It should use some uppercase and some lowercase letters.
- Ideally, it should contain special characters.
- It should be more than 12 characters long.
Those four points are easier said than done. Creating passwords that fulfill all the requirements — and then remembering them — takes a lot of mental energy.
So, what happens when people change their credentials too frequently? In short, they get lazy.
I ran out of password ideas so I had to change jobs.
— Busty Rusty (@RaylaRimpson) January 30, 2018
Again, it’s a scientifically proven phenomenon. In 2010, researchers at the University of North Carolina released a paper titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.” In it, they studied password histories from defunct accounts at the university.
The study looked at more than 10,000 old accounts and 51,141 passwords. The researchers performed an offline hash attack and ultimately cracked 60 percent of the credentials. From the 60 percent, 7,752 passwords were not the final password used on the account.
They then used that data set to see if they could extrapolate other passwords connected to the account. The results were amazing. In 17 percent of cases, the next password used on the account could be guessed in under five seconds.
But why? The study concluded that people tended to make very minor alterations when changing a password frequently. For example, Sausage123 might become $ausage123, hellocheese! would become hellocheese!!, and so on.
When Should You Change Your Password?
At the start, I joked that you probably have some passwords which are approaching their tenth birthday. But is that a joke?
The evidence we’ve looked at so far appears to suggest long-standing passwords might actually be a good thing. What’s the truth? You just need a bit of common sense.
Of course, if you suspect someone is accessing your account without your authorization, you should change your password. If you think someone was watching when you were entering your online banking credentials, you should change your password. If you had to “loan” your password to someone, you should change it.
And if you think you’ve accidentally become the victim of a phishing scam , you should change your password.
In all cases, you need to make sure your new password has no resemblance to the old one. Don’t use the same core word. Don’t put the same special characters in the same positions. And don’t try something like writing your old password backward.
And remember, you should also change your password across any other accounts with use similar credentials. For example, if your Facebook password is flowerpot1 and your Twitter password is 1flowerpot, you should change them both.
If you’re not sure, just follow the four fundamental guidelines we discussed earlier in the article when you make a new password.
What About Forced Password Resets?
But what about forced password resets? Is it a good idea for an app or your employer to force a new password upon you? Probably not.
In 2009, The National Institute of Standards and Technology said regular password changes were “beneficial for reducing the impact of some password compromises,” but were “ineffective for others.” And, of course, users were frequently left frustrated by the forced change. Companies need to reach a compromise between security and usability.
The Bottom Line
The arguments might sound complex, but they are easy to summarize.
- User-initiated frequent password changes might make users marginally more secure, providing the new password is highly robust.
- Enforced frequent password changes often have a negative effect, with users choosing less secure credentials.
Now we want to hear your thoughts on the debate. Are you confident in your ability to choose a secure password on a regular basis? Or are you happy using a decade-old password on all your accounts?
Remember, if you do frequently create complicated new passwords, you use a password manager app like LastPass. You won’t need to recall the passwords yourself.