I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often, and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.
Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.
Unless you get into a good routine, like when you do data backups, password changes will only get done sporadically, if at all.
Do you have a view on how to build such a good routine?
As you say, routines for things like this are difficult to set up — and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available, at least not in a convenient form.
But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.
Become a Patron of Ask Leo! and go ad-free!
There’s no reason to change your password periodically only because time has passed. Most password-based hacks have little to do with age and more to do with bad passwords, phishing attacks, and/or keystroke loggers. For the best security, use good password hygiene to begin with. Change your password if you hear of a breach or something else that affects your account.
Password value over time
Conventional wisdom is to change your password every so often.
I know of no good reason to do that.
There’s nothing about the age of a password that makes it lose quality over time.
The vast majority of password-based hacks are due to weak passwords, sharing passwords when you shouldn’t, phishing attacks, and technology-based compromises like malware (especially keyloggers). They get your current password, without regard to its age. It doesn’t matter whether you changed it last week or last year; they have it right now.
Periodically changing your password adds a tiny layer of security that avoids less common threats: the compromise of an old database of accounts and passwords, perhaps. These things do happen; just not nearly as often as the more common compromises above. Even when they do, more often than not, your password is never exposed because of the way the databases are maintained.
Keeping a password safe
Here’s how to keep your password and account safe, in priority order.
- Choose a good password.
Longer is better. If you’re still using an eight-character password, it’s not long enough; passwords should be at least 12 (ideally 16 or even 20) characters or longer.
- Tell no one.
I’m always surprised at how often people share passwords. Then they’re surprised when their friend is no longer their friend or their spouse is no longer their spouse, and suddenly their email, Facebook, or other account is compromised.
- Don’t write it down.
- Don’t re-use passwords.
When you re-use passwords, you allow a compromise of one account to impact all your accounts using the same password. Hackers know that people do this, and they absolutely try it to see if you’re one of those people.
- If hacked, secure your account.
Remember that changing your password is not enough if your account gets compromised.
- Consider adding two-factor.
When to change your password
There are situations where you do want to change your password, but they’re not tied to a schedule or length of time.
- Change your password if you realize you’ve selected a poor password, be it easy to guess or too short. Choose a better, more secure one.
- Change your password at the first hint of strange account activity. If your account has been hacked, doing this immediately is step one. Then take additional steps to secure your account as well.
- Change your password if you find out that service has been compromised. If you’ve been using that service as the alternate account for one of your other accounts, consider changing the other account’s password as well.
Automating the process
So, how to automate it?
The only approach I can think of is to set a reminder in your calendar. The problem is that changing your password on all your accounts (I have something like 350 listed in LastPass) just isn’t practical. As a result, we skip it.
Technology is the other approach. There are systems — including Windows itself — that can be configured to require you to change your password according to a set schedule. The problem here is that most password-requiring systems don’t include this type of functionality. For example, the major free email providers do not.
But as you can see, I’ve come to the conclusion that a periodic password-changing routine isn’t as important as we’ve been led to believe.
The power of determination
I’ll end this with a story I’ve seen myself (and also overheard in an episode of Security Now!).
A company had configured its Windows logins to require a new password every 30 days. It had also configured the system so you couldn’t re-use your last five passwords; you had to come up with a new one each time.
So one individual, every 30 days, would change his password six times in succession, so his current password would be forgotten by the system and he could use it again.
Yes, he changed his passwords six times in a row so that he could end up with his favorite password — unchanged.
Users can be … innovative … at getting what they want.