When does a good password go bad?
As you say, routines for things like this are difficult to set up. If not automated, they are easily forgotten. Automation may often be the answer but it’s not always available, at least not in a convenient form.
But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.
I disagree.
Become a Patron of Ask Leo! and go ad-free!
Periodic Password change
There’s no reason to change your password only because time has passed. Most password-based hacks have little to do with age and more to do with bad passwords, phishing attacks, and/or keystroke loggers. For the best security, use good password hygiene to begin with. Change your password if you hear of a breach or something else that affects your account.
Password value over time
Conventional wisdom is to change your password every so often. I know of no good reason to do that. If it was ever a good guideline, it’s certainly outlived its usefulness.
There’s nothing about the age of a password that makes it lose quality over time.
The vast majority of password-based hacks are due to:
- Weak passwords
- Sharing passwords when you shouldn’t
- Phishing attacks
- Technology-based compromises like malware (especially keyloggers)
Hackers get your current password without regard to its age. It doesn’t matter whether you changed it last week or last year; they have it right now.
Periodically changing your password adds a tiny layer of security that avoids less common threats such as the compromise of an old database of accounts and passwords. These things happen, but not nearly as often as the more common compromises mentioned above. Even when they do, more often than not your password is never exposed because of how databases are maintained.
Keeping a password safe
Here’s how to keep your passwords (and accounts) safe, in priority order.
Related
How Do I Choose a Good Password?
With occasional security breaches at service providers and rampant email account theft, password security has never been more important. Make sure you choose and use secure passwords.- Choose a good password.
Longer is better. If you’re still using an eight- or even a 12-character password, it’s not long enough; passwords should be at least 16 or 20 characters or longer.
- Tell no one.
I’m always surprised at how often people share passwords. Then they’re surprised when their friend is no longer their friend or their spouse is no longer their spouse and suddenly their email, Facebook, or other account is compromised.
- Don’t write it down.
Yes, make it a good password, but either make it something you can remember, so you don’t have to write it down, or use a password manager to remember it for you.
- NEVER re-use passwords.
When you re-use passwords, you allow the compromise of one account to affect all your accounts using the same password. Hackers know that people do this, and they absolutely try it to see if you’re one of those people. This may be the most common way accounts get compromised.
- If hacked, secure your account.
Remember that changing your password is not enough if your account gets compromised.
- Consider adding two-factor authentication.
For those accounts that support it, two-factor authentication prevents hackers from getting in even if they know the password.
Related
Changing Your Password After a Hack May Not Be Enough
Changing your password is a common response to account hacks. Unfortunately, it isn't enough.When to change your password
There are situations where you do want to change your password, but they’re not tied to a schedule or length of time.
- Change your password if you realize you’ve selected a poor password, be it easy to guess or too short. Choose a better, more secure one.
- Change your password at the first hint of strange account activity. If your account has been hacked, doing this immediately is step one. Then take additional steps to secure your account.
- Change your password if you find out that the service has been compromised. For instance, if you read about your favorite online store getting hacked, immediately change your password there.
- If you’ve been using a service (say an email service gets hacked) as the alternate account for one of your other accounts, consider changing the other account’s password as well.
Automating the process
As you can see, I’ve concluded that a periodic password-changing routine isn’t as important as we’ve been led to believe. Perhaps you don’t agree and still want to set up a system, as our questioner did. So, how to automate this process?
The only approach I can think of is to set a reminder in your calendar. The problem is that changing your password on all your accounts (I have over 350) just isn’t practical. As a result, we skip it.
Technology is the other approach. There are systems — including Windows itself — that can be configured to require you to change your password according to a set schedule. The problem here is that most password-requiring systems don’t include this type of functionality. For example, the major free email providers do not.
The power of determination
I’ll end this with a story I’ve seen myself (and also overheard in an episode of Security Now!) as an example of how ineffectual forced periodic password changes can be.
A company had configured its Windows logins to require a new password every 30 days. It had also configured the system so you couldn’t re-use your last five passwords; you had to come up with a new one each time.
So one individual, every 30 days, would change his password six times in succession, so his current password would be forgotten by the system and he could use it again.
Yes, he changed his passwords six times in a row so he could end up with his favorite password — unchanged.
Users can be… innovative at getting what they want.
Do this
Use good password hygiene, of course. I’ve described what I mean by that above. But there’s no need to change your password because time has passed.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
For the average person this has become unmanageable nightmare. I have passwords written in my day planner and even stuck to my laptop. I have so many and have been forced to change passwords so much that I don’t have a choice. I think the forced password change is a horrible idea and it only forces people to keep writing them down which makes them unsafe (DUH). It is a complete waste of my time and I suspect is probably just keeping some tech geeks employed….Please stop the madness, I HATE IT!!!!!!
I agree that forced password changes are bad, but you can protect yourself against the problems by using a password manager like LastPass or as some prefer KeyPass.
In Mark Burnett’s book “Perfect Passwords: Selection, Protection, Authentication” (https://amzn.com/1597490415), he relates the tale of a company constantly being targeted by “crackers” (the “correct” term for “hackers”); the personnel had strong passwords, but because users were changing their passwords piecemeal, and because the crackers always had at least one password that worked, the crackers were able to leverage their way back into the system. Solution? Every employee (all 500 of them!) had to change ALL of their passwords on the SAME DAY! That did lock the intruders out (and I can only imagine their growing frustration as the found account after account closed to them); but this is the only sort of occasion where I can see such a massive password change being truly necessary (one wonders what kind of security that company had, that required such an extreme measure in the first place).
Leo, you mention “Tell no one,” and emphasize the need to keep one’s password a secret. Unfortunately, things aren’t always that simple. There may be a legitimate need to share one’s password in order to grant temporary access. What truly astonishes me is that those who do this so often fail to take the basic and rudimentary step of changing their password afterwards!
Folks, if you must grant temporary access to an account, please do the obvious! Either —
1. Log in beforehand, out of the other person’s sight, so he or she never learns your password; OR,
2. Log in with the person present, then change your password after he or she leaves; OR,
3. Change your password BEFORE the person arrives, log on with that new password while the person is present, then change the password back to your previous one again (assuming the system will LET you!) after the person leaves.
Whenever at all possible, I greatly prefer to use either (1) or (3), because those two will let you keep your original password intact. :)
Hope this helps!
“Leo, you mention “Tell no one,” and emphasize the need to keep one’s password a secret. Unfortunately, things aren’t always that simple.”
I totally get that, and indeed don’t follow my own rules to the letter. (My wife knows many of my passwords, for example, and other friends have trusted me with theirs as I’ve helped them out with things.)
I publish that hard line, though, because too many people are much too quick to share with others when they shouldn’t. I want it to be a well considered decision, if they do, including the steps you list for regaining privacy thereafter.
I know you are joking but there are only about half a dozen reputable password managers. 1Password, Bitwarden, LastPass (not so reliable anymore), KeePass, RoboForm, DashLane, Keeper, LogMeIn, and maybe a couple more.
And a program call Password Safe. It was originally written by Bruce Schneier and is now maintained by Rony Shapiro
Yeah, I have been using Password Safe (pwsafe dot org for Windows version) since probably around 2007 or so and the Windows database works fine on Linux to (Linux version is here… sourceforge.net/projects/passwordsafe/files/Linux/ ). I had no issues with it as it just works and, to state the obvious, make sure to make backups of the database file otherwise if your main file ever gets corrupt or lost from say a hard drive crash etc you can easily restore your Password Safe database file from the backups.
also, to further harden the Password Safe database file a bit I suggest… Options > Security. then raise the ‘Unlock Difficulty’ slider a bit higher (I use roughly 25% higher than default). this increases time it takes to open the database file but unless your computer has a really slow CPU it only ads a small delay before opening after you enter your password to access the database. but this probably does not matter all that much, especially if your master password is very secure. but if it’s moderately secure I suspect it could help against brute force attacks should someone try to crack your Password Safe database file since it will slow the amount of passwords they can test in the same amount of time as if this is slowed down enough, as long as your password is not horrible, chances are it won’t be cracked. but I suspect it’s not likely someone would try to brute force your Password Safe database file in general unless a person stores it online in which case it’s possible it will help. but if I was storing the Password Safe database file online it would definitely run it through AT LEAST one other encryption program with a password that’s guaranteed secure (i.e. Diceware (with say a 10 word password which is 129bits of entropy) and the like) etc.
I have been using RoboForm for the last 15 years, but unfortunately its utility for me has diminished as my browsers mostly no longer support it now web-extensions are out of favour. I’d be interested to know if any of the others still work on most browsers, and also if you have any views about using form-fillers built into browsers.
Extensions aren’t falling out of favor, from what I’ve seen. Not sure what’s leading you to that conclusion.
Lastpass continues to work across multiple browsers for me. I’m not a fan of browsers remembering things for you — more here: https://askleo.com/browser-remember-passwords/
I agree with Leo that extensions still work and are in use.
I, too, have used Roboform for the last 10-12 years and I find it works with all of my browsers. I use Chrome, Edge, occasionally, IE, and, rarely, Foxfire. I also have it as an app on my Samsung S9 (and my iPhone before that). I’ve never had an issue with Roboform. In fact, the recent incarnations and upgrades have polished it to the point that I can see no reason to consider any other manager – although I have been looking at LastPass. For now, I am quite content.
One of the reasons I left Roboform years ago is that they had no export, for backing up or for exporting into other tools. Has that changed?
How about a “Computer” changing password? Like selecting the first three letters of the current month with the second in Uppercase while the others in lower, then the first four digits of the year, in reverse order, and then selection of special characters (#* ) in four random selection of order, with the randomity being according to the chosen email account??
I think you may help many of your readers doing that, which will be difficult for hackers to do, and
.specially that the randomness changes with the selected computer (from one laptop, to another, to a desktop…etc)..
It’s an interesting algorithm, but I’m not sure how it helps, or applies to the topic of this article?
Uncle Sam hasn’t gotten the message about passwords. The Department of Defense still requires changing passwords every 150 days, even when using 2FA. Until recently, the Social Security Administration had a similar requirement. They now use Login.gov or ID.me.
I use Bitwarden and max out most of the passwords. I only change them if I get informed about a breach. What I’m surprised by is some sites still limit the number and types of characters even today. I have several that are only 8 characters, letters and numbers only. Fortunately those sites don’t have any financial information of mine that would be of any use.
Beaurocracy is a necessary evil, with an emphasis on evil.
NIST officially changed their stance on routine password changes in 2019 (see the 4th bullet point in this ISACA article):
https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/nists-new-password-rule-book-updated-guidelines-offer-benefits-and-risk
Most people just add a 1 or ! at the end of their current password, and hackers know this, so it doesn’t stop them from getting in.
Leo,
I just noticed your reply comment to my comment of 11/10/2020 (yes, I reread all the old comments -slow day …).
I just checked my copy of Roboform and they do offer an Import/Export function. It is located in the “Account and Data” section of the Options menu. Of course, this might have been for an update subsequent to 2020 when the original article was published.
Keep on keepin’ on …
Ed Kant
Naples, FL
My solution (?) is to:
1) create a Word file
2) holding all my usernames and passwords,
3) unique passwords created by random-generators
4) like 4s8s9DfG4xFF&0$H&ds^,
5) the Word file updated whenever a password is changed or created,
6) the Word file stored on three small thumb drives,
7) one hidden at arm’s length from my computer,
8) the other two, backups of course, hidden in our house where a burglar would never find them.
I recognize this may not work for everyone. For example, I don’t do computing outside the house nor ever on the phone. Our house is all-electric, so no chance of a gas fire. I live across the street from a fire hydrant and only a mile from our town’s fire house.
Lot of problems with my plan, I know, but it’s worked for me so far. One day, though, I’m going to look into BitWarden.
You should, at least, encrypt your thumb drive and keep an encrypted copy with a friend or relative. You can also keep an enrypted copy in Dropbox or Onerive. But password manager is easier and safer.
Leo, how true your article is. I used to work at a place that insisted we changed our password once a month; guess what, most of us used our favourite password with a number at the end which we incremented each month. Now that I am retired, I use a password manager with a unique and unmemorable password for each account. Use 2FA where possible and only change a password where there has been a breach.