Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Is a Periodic Password Change a Good Thing?

//

I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often, and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.

Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.

Unless you get into a good routine, like when you do data backups, password changes will only get done sporadically, if at all.

Do you have a view on how to build such a good routine?

As you say, routines for things like this are difficult to set up, and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available – at least not in a convenient form.

But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.

I disagree.

Become a Patron of Ask Leo! and go ad-free!

Password value over time

Conventional wisdom is that you should change your password “every so often”.

When I sat down to think about why, I couldn’t come up with a good reason.

There’s nothing about the age of a password that necessarily makes it lose its quality over time.

The vast majority of password-based hacks are due to weak passwords, sharing passwords when you shouldn’t, and technology-based compromises, like viruses or keyloggers. They get your password right now without regard to its age. Whether you changed it yesterday or last year, these compromises simply get your current password.

And, as I said, these are probably the most common forms of individual password theft.

Periodically changing your password can add a small layer of security to avoid some less common threats: someone stealing an old database of accounts and passwords, perhaps. Or someone finding your notebook from last year where you’d scribbled your passwords down. These kinds of things can and occasionally do happen – just not nearly as often as the more common compromises above.

Keeping a password safe

PasswordThe steps to keep your account safe with respect to your password would be, in priority order:

  1. Choose a good password. Longer is better. If you’re still using an eight-character password, it’s not long enough; passwords should be at least 12, and ideally 16, characters long.
  2. Tell no one. After starting Ask Leo!, I was surprised to learn how often people that shouldn’t share passwords frequently do. Then they’re surprised when their friend is no longer their friend, or their spouse is no longer their spouse, and suddenly their email, Facebook, or other account is compromised.
  3. Don’t write it down. Yes, make it a good password, but either make it something that you can remember, so that you don’t have to write it down, or use a password manager application (like LastPass) to remember it for you.
  4. Don’t use the same password on multiple sites. When you do, you allow a compromise of one account to impact all your accounts using the same password. Hackers know that people do this, and they absolutely do try to see if you’re one of those people.
  5. Remember that changing your password is not enough if your account gets compromised.
  6. Consider adding two-factor authentication to further protect important accounts.

And I’ll admit it here publicly: I use about five type-in passwords (along with many completely obscure passwords that I never type – like ‘ir8zD16vBdtqr5L’ – which are remembered only by LastPass). The oldest and “least secure” password that I actually type in is at least 15 years old. The newest and most secure, perhaps only two years. And yes, I am transitioning to different and stronger passwords everywhere.

When to change your password

There are some situations where you definitely do want to change your password, but they’re not tied to any schedule or length of time.

  • Change your password if you realize that you’ve selected a poor password – be it easy to guess, or too short. Choose a better, more secure password.
  • Change your password at the first hint of strange activity on your account. If your account has been hacked, doing this immediately is step one. Then take additional steps to secure your account as well.
  • Change your password for an account if you hear reports of, or are notified by, that service having been compromised. If you’ve been using that service as the alternate account for one of your other accounts, consider changing that other account’s password as well.

Automating the process

So, how to automate it?

The only blanket approach I can think of is to simply set a reminder in your calendar and do it. The problem is that changing your password on all your accounts (I have something like 350 in LastPass alone) just isn’t practical. As a result, we skip it.

Using technology is the other approach.  There are systems – including Windows itself – that can be configured to require that you change your password according to a set schedule. The problem here is that most password-requiring systems don’t include this type of functionality. For example, the major free email providers do not.

I don’t really have a good solution on “building a good routine”, as you put it.

But as you can see, I’ve also come to the conclusion that perhaps that routine isn’t really as important as we’ve been led to believe.

If I’ve missed something, by all means leave a comment. Password management is too important a topic not to make sure that these kind of assumptions are correct.

The power of determination

I’ll end this with a story I’ve seen happen (and have also overheard in an episode of Security Now!):

A company had configured its Windows logins to require a new password every certain number of days (30, 60, or 90 days seems to be common; I’ll say 30 for example’s sake). It had also configured the system to require that you not  re-use your last five passwords. You had to come up with a new one each time.

So one individual, every 30 days, would change his password six times in succession so that his current password would be forgotten by the system and he could use it again.

Yes, he changed his passwords six times in a row, so that he could keep his favorite password unchanged.

Users can be … innovative … at getting what they want.

Podcast audio

Play

105 comments on “Is a Periodic Password Change a Good Thing?”

  1. Since it’s been advocated that no two accounts should share the same password, many folks are using password managers like RoboForm or PassKeeper. With so many websites requiring registration it’s understandable that you have 350 passwords in RoboForm. These passwords are randomly generated and not even you know what they are. What happens if the RoboForm, PassKeeper, etc software crashes or otherwise gets hosed? What happens if the company goes belly up? What safety features are used to ensure that you would be able to retrieve a company generated password and access the specific account? Or are the accounts not important and you wouldn’t care if you couldn’t access them?

    First, I’m not a huge fan of using the features where they store your information “in the cloud” on their servers. I always store locally on my own PCs so that if there is a problem with their servers – or they go away completely – I still have access to my data.

    Most tools provide a way to create a print out of your information. Do that periodically and keep it in a safe place and you’ll have a backup for most all of the scenarios you mention.

    Finally, I happen to store my Roboform data unencrypted by Roboform but within an encrypted TrueCrypt volume. That way if Roboform itself fails to work one day I can still see the contents of the pass cards it’s saved for me.

    Leo
    05-May-2010

  2. Reading through the last bit, reminds me of when the office network did exactly that – at the end of each month, we were all asked to change our passwords before we logged in (and couldn’t repeat passwords). Some people resorted to simply adding the month/year code on the end of whichever password they liked (e.g. spam0410)

  3. This is a great piece. I wish corporations would NOT make you change strong/ passwords every 30 or 60 days. As you said, if its good its good. If you have to log into 4-5-6 business related systems a day and the password changes periodically, mixing them up happens. And after 3 tries you’re locked out….and then you go through IT to reset and you can’t use one you’ve already used.

    What do you do? Exactly what you’re told not to do. Write them down.

  4. I listed to the most recent “The Malware Report” podcast yesterday, titled “Microsoft Researcher says ‘Don’t Change Your Passwords'”. They were talking about an article they had read, referring to some Microsoft guy questioning the wisdom of “change your passwords regularly”. They didn’t have the original person’s paper/report, however.

    Any chance it was you?

    I don’t think so. It’s not something I’ve written about before.

    Leo
    05-May-2010

  5. A good suggestion I go from something I read said to come up with a character string that included a letter, a number and a special character that would be easily committed to memory. Then merge that character string with several letters of the site to which it applies – perhaps the first and third characters of the site name. Then determine how you would always merge the two letters and and character string – maybe it would be first letter of site, third letter of site and the character string – or maybe the other way around. However one does it, the password will be unique and not easily decoded by anyone else.

  6. A good password is only step 1.
    Another common hacking / phishing method is to use the ‘forgot password’ link to get access to a site. At that point, publicly available information (city born in, year of HS graduation, mothers maiden name, etc) can be used to answer the questions.

    Some sites (like banks and other such software) only email you a password change link regardless of how well you answer your questions. Other sites, after answering the questions, let you set the password there on the site. If there is sensitive data in that account, it could be utilized to get other accounts.

    And there are sites that, after answering the questions, display in plain text the password saved on their system (I have never understood the reasoning behind this). It is sites like these that you do NOT want to use the same password as any other system.

  7. I have never practiced periodic password change. Security measures must be tested on the cost-benefit principle because there is no such thing as perfect security. In most situations periodic password change offers little or no additional security, I think.

    I figured you wouldn’t be a fan of frequent password changes because the argument against it is, I think, similar to the argument against outbound firewalls.

  8. I take your point on the most common password hacks, though I thought the thinking behind doing regular changes was that the more often you use a password, the greater the risk of it being compromised, perhaps through eventually using it on a computer/network you don’t know to be secure, or simply from shoulder surfing. But I guess that when you get down to it, these are just variations on the most common hacks you referred to.

  9. Draconian password change policies can backfire. The most common result is that the user keeps a written list of passwords or even a file of them. At a large semiconductor company about 15 years ago the policy was to change every (I think) 70 days and you could NEVER reuse a previous password. This practically required that you keep a list of every password you had ever used. And more than a few people had a sticky note with the current one on their monitor. I went to a date based scheme that used variants of YYYYMMDD (or MMDDYYY or DDMMYYYY) with substitutions among, for instance, 2 Z z, 6 b g, 0 @ O o, 1 l |, 3 E, 8 H, 9 P, etc. This produces a quite strong 8 character password such as Z@loos1l (as one of MANY) variants based in 20100511. It also had the advantage of never repeating.

  10. I can think of one good reason to change your passwords and then only if they weren’t random to begin with. The scenario is when you know someone is targeting you and your accounts. Going through a nasty breakup or divorce might be two examples or just someone intent on doing you harm. So, if you suspect you’re being targeted and you haven’t used a random password my advice would be to change those passwords to random ones…and start using RoboForm.

  11. The most common mistake I see my friends make is to use the same password for several – or even dozens – of accounts. If a Hacker compromises one, he’ll compromise many.

    The only solution I’ve come up with is to use a handful of passwords, or come up with a password naming convention that could be unique to each client.

    Thoughts?

  12. I started changing all of my passwords after I realized I kept using the same three over and over. Now I have a unique password for every single site. I know each and every one, and nothing is written down. I have my own ‘formula’. Using the Ask Leo website as an example: I take the website name and 1-use the first 4 letters of the name, ex: askl 2-always followed by a word only I know, but backwards (Friday becomes yadirF) 3-finish with a specific set of numbers 1212. So this example would be: asklyadirF1212. For the next website, I only need to change the first four letters, keeping the rest (microsoft becomes micryadirF1212). Unique for every website, unguessable, uses great mix of letters/case/numbers. This has been working like a charm for me!

  13. I’m one of those people who use the same password for everything, but with a slight variation for each. I use what I call my “usual 6” letters and numbers but add something that relates to each instance. Example: I have two bank accounts and I use the last two digits of each account number plus my “usual 6” for the password. The only way someone can access the account is if they already know the account number, in which case the password doesn’t really matter.

  14. You mentioned Roboform a couple of times in the recent newsletter. I happen to use Roboform and like its ease of use. Along with revising passwords as a hassle is the “new” trend of some sites of using “security” questions to add a layer of protection. I find this extremely annoying as is precludes the use of Roboform for logins. Is there any way around this annoying new process?

    • Storing security question answers in Roboform: Use the Notes box at the bottom of the page. This does require opening the passcard, though, so the sign in is interrupted.

  15. Changing passwords regularly can be useful in a corporate environment. A lot of the the people most likely to want to harm the company are ex-members of staff who might be able to get a password or two out of people while they work there. Forcing users to change the password negates some of that risk.

    At home, my wife uses a algorithmic approach. A combination of a strong password and numbers that are derived from the domain name of the website she’s logging into. That way each website has it’s own unique secure password but you don’t have to remember dozens of them individually.

  16. But what if one does not have any sensitive data on his computer? Is the risk of someone breaking into the system worth bothering about? I admit that one has to be extremely careful with bank accounts and/or on-line payments. But that’s about it, I suppose. Or am I missing something?
    Also…
    Is one any safer using LINUX rather than MS?

    My guess is that you have more things on your computer that are ‘sensitive’ than you realize. If you really, truly don’t care that someone might see everything on your computer and all the email, website and other accounts you might access via that computer, then of course … why bother with a password at all.

    (Linux tends to be safer simply because the vast majority of malware is targetted at Windows.)

    Leo
    14-May-2010
  17. Perhaps I’m nuts, and if so, please explain it to me. Personally, I have the same user name [robertp] and the same password on countless web sites like this one, and many forums, online newspapers, etc. I really don’t care if anyone has it. What’s the harm?

    But I do use complex passwords for email, banking, credit cards, etc–things that really could hurt if compromised. But they are still simple enough to remember. “My Mothers Name is Betty”, or MMNIB, or MmNiB, or injected with alternating numbers, M1m2N3i4B5. Once you decide on a basic format, there is no end to the combinations, and you never have to write them down.

    The harm is that someone might gaining access to those forums and sites and impersonate you.

    Leo
    14-May-2010

  18. I’ll admit to using a few common variations on a theme password so you can remember it saga. I have seen it mentioned using Roboform, but have not tried the free version yet. GRC.com claims to have unbreakable encrypted passwords it can generate for you, (good luck remembering the string of characters it generates), but I think the real key is: Don’t share a sensitive password linked to sensitive information. Don’t have it written down. If you think it has been compromised, change it!

    I do take issue with a few sites I have signed up with, and they send a confirmation email showing the log on ID and Password in plain site! This seems a contradiction to keeping your password safe! If I use what I feel is a great, safe, reusable password; well, that’s no longer the case if you had spyware looking for saved or exposed passwords… or somebody or some program snooping your email. I am curious; would Roboform still protect you in that scenerio?

    • I agree that sending you a username and password by email (which is hardly likely to be secure) is not the course of wisdom – unless you have the option to change it after first login. I am a database manager and I always urge members to change their password after recovering their information from me.

  19. Password management has been big trouble for me. I go with the philosophy of choosing really strong passwords that include capitals, numbers and characters. Actually to make them easy to remember you need to use a passphrase like: MyD0g1sWh1t& = my dog is white. Simple rules: all word start with capital, i become 1, o become 0 (zero), e becomes &. You can make longer phrases, replace a with @, s with 5, e with 3… I use a great tool called KEEPASS to track all my login details. It’s Open source/free and it’s very cripted. it creates a password vault and I backup the vault file. This has really changed my life as it allows me to keep track of less frquently used Passwords. It also helps build strong passwords with it’s evaluation score.

  20. Of course we should avoid obvious passwords such as birthdate or (heaven forbid) Social Security Number, child’s or spouse’s name, etc. etc. And changing the word from time to time is probably a good idea. It’s best not to use the same password everywhere, because if someone finds out what it is, he/she can get a LOT of information fast. Usually that’s not possible, because many sites have particular criteria for passwords. One of my pet peeves is telling a user to create a password, then after one does so, it says “you have to have an upper-case letter, a number, a this, a that” – why didn’t they say so in the first place?

    For me, an important factor is having a password that is easy to TYPE as well as remember – otherwise it will be mistyped, or take forever to type correctly. The gobbledy-gook random sequences aren’t very easy to type, so I avoid using them. But I’ll keep in mind taking an unusual word, and using a misspelling of it.

  21. My internet provider knows my password, as well as my internet bank. If they’re corrupt, they can sell my confidentials, or am I mistaken?

    You’re correct. You need to choose your ISP and Bank carefully.

    Leo
    14-May-2010

  22. I am a very musical person. As a result I was using song title for passwords. Most people would most likely not know what song it was, but now I use the first letter of each word in a certain section of the song and my ‘forgot my password’ key is the song title.

    I have used random genrators, and they are great but I cannot remember them.

  23. I’ve already posted, but after reading everyone else’s comments, all I can say is, some of the schemes for creating passwords are WAY TOO COMPLICATED TO USE! Whatever system one uses – and a personal one might be better than a “technical” one – it has to permit one to create and use passwords without too much time, hassle, and complexity, or one will revert to the easy ones. I’ve gotten some ideas here, but doubt my passwords will ever be like some of the ones I’ve seen as examples. For some of the more secure ones, such as for a credit card, I happen to have memorized them, but if I get hit by a truck, my executors could find the password in the file folder for Visa, etc. in my file cabinet. The chances anyone can access my tangible files are remote. Another idea I’ve used is to create passwords out of foreign languages.

  24. RE “changed his passwords 6 times in a row, so that he could keep his favorite password unchanged”
    ha ha, that’s great, stick it to the idiot IT department! Not that they’re all idiots, but C’MON people, don’t you realize you are simply forcing people to write down their passwords somewhere near their desk, thereby making the whole thing LESS secure.

  25. Thanks for pointing out the significance of good passwords. I personally use a couple of different ones, and find it easy to remember which password goes with which site because I know it

  26. I know writing down passwords is a bad idea, but when you have 100 different ones it’s difficult to remember them all. And using the same password for all log-ins is also a bad idea. If someone hacks a website and gets your login info they will also have access to all your other password protected info.

    You should consider using a password tool like Roboform.

    Leo
    15-May-2010

  27. Situations that compromise passwords differ between workplace and home. I frequently use my password at work in the presence of fellow workers. My employer’s enforced password policy makes sense. At home that would just be an inconvenience.
    However password changes would certainly be appropriate if you were online at the local cafe. Might I suggest fear based, rather than schedule based, password changes. Have a quintet of passwords memorized, and if you get suspicious, flip. Maybe every once in a while rotate something new into the lineup.

    I’m very reluctant to endorse a “fear based” approach. My experience here is that too many are overly fearful when they need not be, and not fearful enough when they should.

    Leo
    15-May-2010

  28. (1) I tend to think that the frequency with which one should change a password should be directly proportional to the importance of what it protects.

    (2) Using the same password for everything is very dangerous because, if someone guesses it or somehow obtains it, now they have access to your everything. I don’t even use the same user name for everything. Every account gets a different user name and a different password, especially financial stuff. That way one cannot even tie ownership across “domains”

    (3) I don’t use easy to remember passwords for anything except my password manager and for that I have one not even my mother would guess. All other passwords are totally random.

    (4) Back to the importance of what a password protects, I don’t consider how often I access an account is not a factor. What I think is “if someone cracked security and obtained this or that entities passwords, how long do I want to give them to get raid my account”. The answer to that determines how often I change my password. High balance accounts, one a week. Web based eMail accounts, rarely.

  29. I appreciate your thoughts on changing passwords Leo. I teach technology and among the my classes is a 2 hour class on Internet Security. I’ve also been thinking about the reasoning behind changing passwords and like you, I couldn’t think of any strong reasons to include that practice in my class.

    Here are a few good articles on the current state of passwords.

    Bruce Schneier spends a lot of time thinking about security & passwords. He’s also the creator of a free, open source password manager called Password Safe. Although this article goes back to 2007 it really opened my eyes to the automated side of password cracking.
    http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

    This article is from the Carnegie Melon School of Computer Science about choosing good passwords and includes a couple of interesting techniques to do it.
    http://www.cs.cmu.edu/~help/security/choosing_passwords.html

    A recent article by Georgia Tech Research Institute (GTRI) about new hardware developments that could alter password security:
    http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System

    And a CNN article about GTRI & their research that includes additional information:
    http://www.cnn.com/2010/TECH/innovation/08/20/super.passwords/index.html

    Dave (at) TechTeachToo.com

  30. I’ve recommended this title before, and I’ll recommend it again:

    “Perfect Passwords: Selection, Protection, Authentication” (Paperback, 2005)
    By: Mark Burnett (Author) & Dave Kleiman (Technical Editor), $22.18 USD

    ISBN: 1597490415

    http://www.amazon.com/gp/product/1597490415

    Though perhaps a tad outdated (it was written five years ago) it is still very relevant, and will answer all your questions not only about the “Why? of changing your password, but “How?” (the answer isn’t necessarily the one you think it is!).

    I should also note that, for some purposes an insecure password may be appropriate. Sometimes you only want to keep an honest person honest, not “out”. For example, the computer I’m typing this on is shared between my mother and I, and I carefully keep our Windows accounts separate. But my own Windows password is intentionally VERY weak — just five lowercase letters — so that if I were to croak tomorrow, my Mom could hire a guru friend of ours who will no doubt download some program that should be able to break it easily. It’s one of the very few occasions where I rely on an intentionally weak password. (Even apart from the concern just noted, there is simply no need  for a strong password in this case — no one uses the computer but the two of us, and who is snooping, the NSA? On those occasions where I really do want  to keep some file private, I use encryption — which does use a strong password.)

  31. Leo

    I’m troubled by your stubborn insistence on one particular Password Manager (i.e., Roboform). Granted, it’s the one you use and are happy with; but there are also hundreds of others, and there are also hundreds of other users  who are just as happy with those other hundreds of other Password Managers. How about a page listing some of those readers’ favorites, and not just yours, for a change…?

    It’s my idea, so I’ll go first: I happen to like KeePass, currently in Version 2.12:

    http://www.keepass.info

    Enjoy!      🙂

    Not to get too snotty about it, but this is Ask Leo! – I provide my opinions based on my experiences and knowledge. My experience with Roboform has been stellar, and I continue to recommend it. Of course there are lots of other password managers out there – just like there are many other alternatives to just about any other piece of software I might mention. I rarely remove any comments suggesting alternatives (unless I suspect spamming or other malicious behavior), so sure, leave your ideas here. But it’s not my goal to become that kind of clearinghouse. There are plenty of places on the web to find reviews and opinions on other password managers.

    Leo
    09-Sep-2010

  32. Passwords, etc. Being a non-geek with a simple mind, I keep a small thin address book which hides unobtrusivly close by, and list user names and PW alphabetically. Any changes to PW’s are duly noted.

    But just for fun I use an open source program “HideInpicture” (@ SurgeForce). A person can hide data within a photo (in many formats ) which requires a password. Just thought this was worth a mention. Can you say “Secret Agent”? Just remember to store PW changes to the photo.

  33. I hate policies that require periodic password changes. They’re idiotic, frustrating, inconvenient, and they actually worsen security. They make users write down passwords, use simpler passwords, use passwords that vary only by one character, and use the same (or a very similar) password on multiple systems. They drastically increase the number of calls made to the help desk to have forgotten passwords reset.

    The height of stupidity is when an organization requires frequent password changes, but also allows horrible passwords. I have seen idiots design systems that force passwords to be changed every 30 days, but allow passwords like “hello1”.

    There are only two arguments in favor of forcing routine password changes:

    1. An attacker could theoretically try brute forcing a user’s password, and keep a (huge) database of the incorrect guesses. This would allow them to keep trying as long as they wanted. In reality, this doesn’t seem to be a large risk.

    2. If a user’s password is discovered by any means, not forcing a password reset would allow the unauthorized access to continue indefinitely. In reality, this could be prevented using other security measures that should already be in place anyway (limiting access to certain times of the day, from certain IP addresses, multifactor authentication, etc.).

  34. Why do a majority of authentication systems restrict passwords and force rules on people in the first place? If you want me to have and use a strong password let me use a sentence or phrase which has meaning for me that I will not have to write down. Even if that phrase incorporates things that have personal meaning for me the chances of it being hacked when used in the context of a phrase or sentence are very slim to none.

    Leo mentions that one of is passwords is “ir8zD16vBdtqr5L” and is only stored in LastPass. As was pointed out in another comment, when LastPass breaks Leo is going to be SOL. If that important password was “Leo worked for MS for 18 years until 2001” he probably isn’t going to forget it nor is anyone likely to guess it either.

    • I’m quite happy with the design of LastPass and trusting that it is extremely unlikely to “break”, as you put it. Just one example: if hackers could steal the database from the LastPass server they would still have nothing. Even LastPass doesn’t see, know, keep or store my passphrase to unlock my vault. It’s on me, of course, to make sure I choose an appropriately secure passphrase for LastPass itself. As always, the human in the equation is the weakest link.

      But I definitely agree that too many password fields are unnecessarily restrictive, often extremely so.

  35. Hey, Leo,
    I recently came across a woman that she used the same passwords for everything she accessed a lot, (which were only 5) her places on the internet. When I queried her further, she said that she would switch on her (works at home) computer, check to make sure her anti-virus’ and etc… were functioning well. Once this was complete, she would log-in into the different websites she was visiting that day.
    After checking in to all of them, she would then activate a macro that accessed those systems, changed the passwords, and then printed them out for her next new access or day’s work on those sites. She would not shut her computer off until her day’s work was done. She said she when to 55 to 70 sites over a 2 week period and the print out (only) listed the changes that were made and the new password for each site.
    I asked her what benefit she got other than that her teenage son’s had once accessed her accounts and ‘played’ with them and though it hadn’t messed her up much it was frustrating to her to have to reorganize them all over. She said she now lockouts her computer and then secures her password from them. She said never wrote the new one down, moved her desk chair so the wall was behind her, and even now periodically changes her boot-up password and windows login. She also got laptops for them and secured her network without sharing.
    Now that I’ve explained … just how feasible do you think it is to use this method? It seems like it would be a constant changing environment to follow? I supposed after you learned the ropes of each website it wouldn’t be that hard and the macros are launched and run from her computer it seems reasonable.
    Plus wouldn’t the anti-bot defenses of servers and websites start flagging her?
    Thanks, Ralph

    • Considering that changing your password periodically probably doesn’t do much, if any, good, changing passwords daily sounds like an exercise in futility.

    • Wow. This seems incredibly complex. I can’t imagine how a macro could be written (and using what tool?) that would handle a wide variety of sites like that. Seems like complex overkill that would be error prone at best. While moving on from using same password everywhere is important, I also have to wonder why she just doesn’t have a strong talk with her son.

  36. It seems to me that even people who live in really bad neighborhoods don’t change the locks on their homes or cars unless they have reason to believe they have been compromised. Why would the same not be true for the Internet? Admittedly, the Internet hosts some really bad “neighborhoods” but changing from one strong password to another just due to the passage of time seems ludicrous. If the neighborhood you live, work, play, or park in is dangerous, get the strongest lock you can afford, but don’t feel like you need to change it again until it is compromised in some way. Remember that the brute force attacker was no closer to discovering your old password than he is to the one you’re changing to (unless the new one is stronger). The only exception might be the one already mentioned, where the attacker maintains a database of “already tried” passwords and you change to use one of those already tried. Chances are, though, his friend has a different database and is at the point of trying the one you just changed to!

  37. Don’t forget to answer your secuity questions with something that is NOT the real answer to the question and/or algorithm based just like you do with the actual password!

    Question: “What is you mother’s maiden name”
    Ans: tlaW_212

    • Paul, I don’t like that approach because it is easier to remember the truth than a fictitious answer. I often see questions on Help Forums from people who’ve lost access to their accounts and “can’t remember the answers to the Security Questions”

      I agree though that if many people know me, they might know the true answer to my mother’s maiden name or the school I attended, but I prefer to take that chance.

      • I agree with Paul. The answers to most security questions are way too easy to get – it really bugs me when websites will re-set your password based on answering these questions, which are way less secure than your password itself (assuming you use a strong password!). I never use the real answers – and I store the ones I give with the rest of my passwords in KeePass, so I don’t need to remember them.

  38. What seems a complicated system to you for making up a password is very simple for a computer/hacker. Just because the technique produces something strange looking doesn’t mean it is good. Any one trying to crack passwords will have most of the techniques covered.

    Consider typing in your password with a mistake in it and use the mouse to position the cursor to correct the mistake.
    thanks Leo

    • Doing that won’t help much if any. A keylogger installed on a computer would be able to detect the mouse corrected password. The most secure is a long password, at least 14 or 16 characters and following safe surfing practices to avoid trojans and key loggers.

    • Realize that the approach you suggest will NOT bypass sophisticated keyloggers. They can log mouse activity and screen shots in addition to keystrokes.

  39. I’ve been using the same passwords for over 30 years. I used it when I was working on mainframes and now use it on PCs. These days, I have 3 variations of it as well as 3 variations of another one I have used many years. Unless I get locked out for too many tries, I can usually eventually get on.

    Now, sites are getting more difficult, like having to use at least 8 characters, with at least 1 capital letter, at least 1 number and then at least 1 special character. Sometimes they will have an image and then on top of that some start asking stupid security questions The questions you can choose from are moronic.

    Many of them are useless to many people. Like what was your 1st pet’s name. Who the heck remembers that and what if they never had a pet, then that question is out. Then there’s family questions. Many people don’t have family or very l;little of them. Cross out those questions.

    Your favorite car, what did you want to be, etc. I think they get morons to dream up those questions. I can throw out about 80% of them cause I can’t remember or they don’t pertain to me. And it’s usually a site like my TV Listings or some blog that makes passwords the most difficult. I wish some of these jerks would use their noggin once in a while. Thanks for letting me vent.

    • The problem is many folk think their answers have to be truthful to be remembered. Be a little imaginative.

      Some of these questions, if answered honestly, ask for information that is readily available in public records. So, they’re not very secure.

      You didn’t have a pet? Then answer with something you can remember, like Roach, Mouse or Unicorn. Who was your first girlfriend/boyfriend? How about Cindy Crawford or Tom Cruz? Grandfather’s first name? Grandpa. Mother’s maiden name? Miss. Best friend? Julius Caesar, King Tut, or some other famous person you can easily remember – or even your worst enemy. First car? Stanley Steamer, Model-T, or some other car you wish you had. Answers don’t have to be what “was,” but can be what you “wish they were.”

      Have some fun with these things, and they will be easier to remember.

    • The solution to your frustration is simple. Make up answers – in fact treat them like passwords. Your favorite pet? Pencil. Or FTSC8w10GI3x. It doesn’t have to be a pet. All that matters is that you answer it, and that you can provide the same answer in the future. Using fake answers is highly recommended additional level of security.

      Complex passwords – with numbers and special characters – those I agree with when passwords are short. Too many people select simple passwords that are easily cracked. This enforces at least a little bit of randomness. What I wish is that a) all sites were consistent, b) all sites allowed spaces, and c) all sites allowed passwords of up to 256 charaters or so. That way you could choose a lengthy pass phrase with no special characters that was every bit as secure and possibly easier to remember.

  40. I set up company wide password requirements that included not being able to repeat a certain number of characters from your old password to your new password. It was done *specifically* to stop people from merely changing the month in the password. For example: old password = passwordFEB & new password = passwordMAR. A brief after implementation, while I was ordered to remove that limitation. SHEESH!

    Personally I use RoboForm and have passwords like aT4*3mw{v9irg#. Further, for the security questions I make up answers such as my mother never had a maiden name she was born married.

  41. I’ve started using Lastpass and love it. It saves a lot of time – and the form fill is super, particularly for entering company details for on line inquiries etc. You have recommended Roboform but is this significantly different or better? Also, is there a significant risk with any of these programs that someone could access my computer and therefore gain access to every site which I have set to save the log in details? (I’m sure most people would use this function because it saves so much time)

  42. Most requirements for passwords are for sites where it really matters not whether hackers get through and latch on to them. The need for such passwords is entirely dictated by the site owner to protect his site. For that reason the need to change regularly is, in my opinion, pointless. There are very few personal sites that require strong passwords – eg bank accounts. Only you, the password owner, can assess the level of security required. Taking a pragmatic approach of categorising relevant security needed as opposed to that designed to protect the web site owner will save a lot of hassle, particularly when the age related problem of memory kicks in. I also would challenge the advice of not writing down passwords: it’s about safe storage of the written down material! And if you are about to divorce your partner, then eat the paper in anticipation!

    • There is a very compelling case that ALL sites need to be secured with proper security. Most people use the same username and password on multiple sites. If a minor site gets hacked then the hackers have your username and password. What they do is travel around the web and try that combination on numerous other sites… including your bank. So getting hacked one place (even if it is a minor site) can lead to pretty serious consequences.

      Leo has a great article about that here: http://askleo.com/why-is-it-so-important-to-use-a-different-password-on-every-site/

  43. I disagree with your premise of not changing your password frequently. You are forgetting about the case where the password is stolen and the theft is not discovered immediately. Thieves can use your password undetected to monitor your bank account until payday when they empty your account. If you change your password every 30 days, then the old stolen password will not work for long unless they lock you out first.
    Just wish there was an easy way to change passwords everyday on every site. That would make those password managers worth their bits in gold.

  44. If a hacker obtained the password to your bank acct and only found $77 in it, he’d be wise to let it sit and robo-check it periodically until you deposit your $30,000 loan proceeds prior to buying that new SUV.

    In that case, having changed your pw two or three times during that interim would hose him off your acct.

  45. I used to use the same password for non banking sites, but am working on changing them to unique strong passwords. I’m using LastPass to remember them. My eureka moment came when I realized how many different things I had on Google Accounts. Some are important, and some are not. None of my accounts have been hacked, but two days ago I received a notice from Gmail of suspicious, unsuccessful logon activity. Checking the logs showed numerous attempts to logon to my Google Accounts from Canada. My next step was activating 2-step verification to protect my accounts more strongly. By the way, I NEVER share passwords with anyone.

  46. I put my passwords in an alphabetical file by website name in a word doc. Then in a WinRAR archive that’s password protected. I have WinRAR anyway so why not use it. Then I backed up the file on a USB stick, updating it when changes are made to the original word file. The original WinRAR file is still password protected on the USB stick. That password is used only for this file, and is one I’ll never forget.

    On another note, I read somewhere that Windows stores all passwords somewhere in the registry, and someone who knows that location can find the passwords. Is this correct?

  47. Funny … you say … don’t write them down as a biggie and then say in one of the comments to print them out … kind of the same thing , isn’t it?
    I personally make up password phrases that I can remind myself with short form hints that I write down.

    • The biggest problem I see with people who write their passwords down is finding the right one later through all the notes. I’m a web designer and I show up at people’s offices and watch as they shuffle through piles of paper, and notebooks, and scribbled notes – often we never find the password! As you get more and more, and then change them, it’s hard to keep a clean hand-written system.

  48. A friend recently told me he has a (very expensive) USB memory stick, that has a thumb print reader on one side. On that stick, he stores a version of LockNote (a self-encrypting .exe that acts like NotePad) which contains his passwords.
    So a potential password thief would need the stick, the password for LockNote, and his thumb…

  49. This password stuff can be taken to the extreme. One employer I worked for required employees to sign on with a different userid and password for the three services they provided:
    1. Local network server. (business files)
    2. Email server
    3. Internet (browser) access.

    Initially, employees didn’t have a problem remembering three different userids, and three different passwords. They used old nicknames, pets names, birth dates, social security numbers, etc. Anything that was already committed to memory, and which a hacker would not have known.

    Then the IT staff discovered “force password complexity”, and all of a sudden our passwords needed TEN digits. At least two of which had to be numbers, another two symbols, and at least one a capital letter. They would force the change for all three systems EVERY 30 days.
    They also selected “NEVER REUSE PASSWORD”.

    As a result, EVERYONE had to compile a list of all the passwords they used and keep it at their desk. Otherwise, they would forget which passwords had already been used.

    What did this accomplish. Now instead of people using a secret password, committed to memory, they left a list of hard to type passwords at their desk, where anyone could gain access!

    My definition of STUPID!

  50. I’ve “always” thought that requiring periodic password changes was silly. Glad you came around to my way of thinking. 🙂

    As long as there’s no likelihood of a breech, I’ve left my passwords alone. I HATE systems that require a change every X period, as if that actually increases security. If they’re “concerned” about security (as opposed to just doing security theater), then that’s not the way to increase it. They can require more info (like 2nd factor, or “security questions”) if your IP address is different from the last login, for instance.

    But the real bottom line is, what would be better than passwords, and when will they switch to it?

  51. The mandated password changes at my last place of employ were dealt with by adding one to the number on the end of it. The odd computers [all had to be encrypted] for lab use and that were not network linked had the logon passwords in tape on the front so anyone could use it. Neither of the above would have occurred if a good reason could be seen for what we were doing. People tend to work around the obstacles.

  52. I don’t know if Mexico is particularly threatened by password retrieval or they are just cautious.

    In addition to VERY specific (unknown until they holler) password requirements, the bank gave me a device that changes numbers every 2 minutes and has about 8 numbers displayed. It took close to an hour with their tech guy to get a useful password and some security questions answered satisfactorily. He had also put in the wrong device serial number so inputting those numbers obviously did not work until he fixed that. Their system will not allow repeated number series such as 99 and most probably sequential numbers.

    I must use my password plus the numbers displayed to access my account.

    A friend borrowed my computer to access his bank account in a pinch. He also had a similar device from a different bank. So that practice looks pretty widespread here.

    • That’s called 2 factor verification. It’s also used all over Europe. Some give a list of one time pins called TAN’s (Transaction Account Numbers), a TAN sent to your mobile phone or a TAN generating calculator which verifies your ATM card and PIN and creates a one time TAN. The reason Mexico uses that system is that it’s more advanced than the US system. Why US banks haven’t implemented a system like that totally baffles me.

  53. I use LastPass and as part of their security check they will point out that you haven’t changed your password lately. I am thinking like you…why change a good password. I use passwords that are generated by Last Pass so don’t see the point in changing them periodically.

    • Because two words separated by a number is a pattern that’s easier to guess, and easier to find using a “try everything” approach based on words.

  54. I worked one place that required password changes every 35 days. BUT, there was no requirement has to *how much* the password had to change. Many, many people used passwords that contained the month. For example “mypass11” for November and “mypass12” for December.

  55. Some great ideas here. I didn’t read every post, so maybe this is a dup, but on the subject of ‘security questions’, yes much of that info is available from public records. So don’t use real answers – their system doesn’t care if the info is true, only that it matches what you put in originally. You just have to remember what that was… so, “mother’s maiden name’ – Bumstead; ‘favorite pet’ – snoopy; ‘city of birth’ – Smallville — that kind of thing.

  56. One of the main reasons of regular changes of passwords has nothing to be with the account being hacked, it is to do with someone finding out the password.
    Sometimes when logging in you put in your user name, press tab to go to the password box and put in your password. Except that without realising, you didn’t hit the tab button properly, and the curser is still in the username box. As you type the password, it is visible to anyone looking at your screen. A colleague saw my password in that way and I had to change it.
    In my office, I sit next to the same people every day. It is not difficult for someone determined to be able to watch as you log in and get the password. It might take a few times of watching, memorising the first few characters, then the next couple etc. It is especially easy if the password is easy to guess. You get the first few characters by watching and guess the rest.
    We have to change our work password every month. Almost everyone I know, uses a basic password, and just changes the number at the end. So it will be Elephant. Next month, they change it to Elephant1, then Elephant 2, Elephant3 etc. Really secure! But people are lazy and cannot be bothered to think up or remember new passwords.

  57. “They get your password right now without regard to its age. Whether you changed it yesterday or last year, these compromises simply get your current password.”
    I can think of one scenario where changing the password might help. Someone steals your password along with others from an email website without good security but doesn’t change it, but uses it, for example to send spam. Changing your password regularly would lock them out again. That being said, it’s nothing I would bother with as a major website should let you know of the breach and you could change it at that point. A less secure website probably normally wouldn’t contain anything I couldn’t regain by signing up again.

    I use strong unique passwords on sites I consider important, such as accounts which involve finances, email accounts, work accounts and important social media accounts etc., but any sites that require a password just to comment or view content all use the same short password. If it’s hacked, I can just sign up again. Even if they try it with all of the sites using it, it still doesn’t make any difference.

  58. Yes, you need to keep your passwords secret. But, you also need to consider what will happen with your accounts when you die. Even if you are young, you could get hit by a bus. Sites like you bank may not be an issue as someone can go to a physical bank to resolve things but they cannot do that for Facebook, Twitter, Google+, your email, and the like. As more stuff goes online, this becomes more important. For me personally, it is Shutterfly with all the pictures of the grandkids.

    I’ve been married 40+ years so I’m not concerned that my wife knows all my passwords. If you do not have anyone you trust that much, make a list and put them in your safety deposit box or give them to the attorney who drew up your will.

    As for the security questions, I always lie. I use Lastpass for the passwords and store the security question “answers” in a password protected Access database, but it seems to me the password just makes me feel better. The chances that someone trying to hack my online account having access to my computer and knowing I have a file with those “answers” and where to find it is extremely remote.

    • I had a friend who died of a brain tumour so his memory went very fast. He did not store them or write them down. I was asked to access his accounts, some were easy, just required a password request. Others which required answers to security questions or used users names which were not email addresses were impossible to retrieve.
      So I would say write them down and keep them with someone you trust or if you using RoboForm put the master password in your will.

  59. I’ve skimmed through a couple of times but haven’t spotted a link to this fabulous comment on password strength from a couple of years ago – https://xkcd.com/936/ – which has altered my attitude to password creation permanently!

  60. I’ve always been security conscience since getting my 1st computer in ’98. I have accumulated some 4 pages of word documents of websites I’ve visited with email address, passwords of each site & link to same. I keep all of this data on a jump drive to use when I need to access a particular site. I use Kaspersky Internet Security suite which has a money add-in that gives an extra layer of protection on financial sites. When I need it I pop it in a USB port then remove when I’m done; never leaving it in my computer, only when it’s needed. I have 2 Hotmail accounts for public use & 1 primary for family & friends. Besides Kaspersky, I have Malwarebytes Anti-Malware running @ startup.

  61. While I do agree changing passwords regularly is only a minor improvement, one must remember that security comes in layers. One advantage to regular password resets is training your employees to change their passwords. The situation I put forward is the “Disgruntled Employee” who knows a few passwords for whatever reason (they were written down on sticky notes, shared passwords, he was told once to allow him to log on to your account just once, shoulder surfing , whatever).

    While he is in the boss’s office getting fired, we immediately lock him out of the system, and also set everyone’s password to require to be changed on next login. Send out an “Emergency Server Maintenance” memo, asking everyone to close their files and log off. We give the all clear, people login, and BOOM password reset, right now, and EVERYONE knows what to do, and because they have been changing their password on a regular basis, they aren’t flooding the IT line with “HUH?”, it’s just a routine password reset and they do it.

    Still have to work on Password1, Password2, Password3, but it does help.

  62. I can hardly wait for bio-verification. The entire password system is so horrid, unnatural and unwieldy that it deserves a swift demise. Between the varying rules for passwords, time expirations, etc, I have surrendered and now keep a written list (Yes, WRITTEN!) to ensure access in the event my PC or it’s external backup crash or are lost in a fire, earthquake or due to pestilence. I defy even the best hacker to find my piece of paper off a Big Chief tablet.

  63. Back in the ’90s, I worked on a mainframe for a large corporation that required changing your password every 30 days. It wouldn’t allow a reuse of the last 8 passwords so I wrote a routine (clist) that would change may password 10 times ending with the one I started with. It took system programmers 3 years to notice it and then they wrote a counter routine that disallowed the programmatic changing of passwords.

    Naturally I came up with a work around that I believe I’ll keep to myself.

  64. Leo, I use LastPass to generate and manage my passwords. However, I don’t understand why I actually NEED a strong password. When I logon to Target, for example, and I can’t enter the right one after say, 3 times, they will lock me out. At that point, I have to call them to get it reset. Or, click “Forgot my password” and have a new one sent to my email. So, if I have a ‘weak’ password but it can not be guessed in 3 trys, how am I exposed?

    • In a case like that, a strong password may not be as important, but not many websites have that kind of security in place. But for the others which don’t have that 3 strikes policy, you need strong passwords. And there’s no such thing as too good a password

      • I agree with you on both points. I was trying to figure out if I was missing something. Actually, I use strong passwords on ALL sites. I use LastPass to generate them (12-20 chars, digits and special chars). When I login to a site, LP fills in the username and pw. Not only are the site username and passwords encrypted, I can also require a second password when looking at the LP record for a site.

  65. Substituting special characters for similar letters does not provide the richness intended. Nor do misspelled words. I try to make my passwords 1 character longer each year unless similarity algorithms interfere. How about initial letters of words from a favorite passage. Especially if it was from a unique correspondance or poem? Pass-phrases are now the trend, but more bang for the typing-buck has advantages. To my heirs, I bequeath two simulated blue passport folders: one having the first half of passwords, the other, the remainder. Each stored at a different locale.

  66. “So one individual, every 30 days, would change his password six times in succession so that his current password would be forgotten by the system and he could use it again.” – Which is why most organizations set policies for both maximum password age and minimum password age – with the latter being the minimum number of days that must pass before a password can be changed.

  67. Leo says, “Don’t write them down.” This would be impossible for me, I have over 5 pages (100+ passwords) I would have to remember. Anyone that have been on the Internet since it started (~1980) would have collected many web site logins. Most are different per the conventional wisdom.
    Leo says, “use Lastpass (or other password manager.” This would be wonderful advice if one used just one or a few computers. As an instructor to our local senior center I have to use (and login from) many different computers and devices. A password manager would have to be installed on each, and some being phones or tablets there may be no matching add-on or password manager.
    So I *do* “write them down.” The passwords are written down in an heavily encrypted file that I can carry around on a flash drive. (psst! – the file is not named “passwords” 🙂 ) The encryption program is also on the flash drive, along with many other teaching-related files. I could lose the drive without worry.

    • ” A password manager would have to be installed on each,” Actually that wouldn’t be necessary. LastPass has a web interface which you can use at any computer.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.