I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often, and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.
Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.
Unless you get into a good routine, like when you do data backups, password changes will only get done sporadically, if at all.
Do you have a view on how to build such a good routine?
As you say, routines for things like this are difficult to set up, and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available – at least not in a convenient form.
But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.
Password value over time
Conventional wisdom is that you should change your password “every so often”.
When I sat down to think about why, I couldn’t come up with a good reason.
There’s nothing about the age of a password that necessarily makes it lose its quality over time.
The vast majority of password-based hacks are due to weak passwords, sharing passwords when you shouldn’t, and technology-based compromises, like viruses or keyloggers. They get your password right now without regard to its age. Whether you changed it yesterday or last year, these compromises simply get your current password.
And, as I said, these are probably the most common forms of individual password theft.
Periodically changing your password can add a small layer of security to avoid some less common threats: someone stealing an old database of accounts and passwords, perhaps. Or someone finding your notebook from last year where you’d scribbled your passwords down. These kinds of things can and occasionally do happen – just not nearly as often as the more common compromises above.
Keeping a password safe
The steps to keep your account safe with respect to your password would be, in priority order:
- Choose a good password. Longer is better. If you’re still using an eight-character password, it’s not long enough; passwords should be at least 12, and ideally 16, characters long.
- Tell no one. After starting Ask Leo!, I was surprised to learn how often people that shouldn’t share passwords frequently do. Then they’re surprised when their friend is no longer their friend, or their spouse is no longer their spouse, and suddenly their email, Facebook, or other account is compromised.
- Don’t write it down. Yes, make it a good password, but either make it something that you can remember, so that you don’t have to write it down, or use a password manager application (like LastPass) to remember it for you.
- Don’t use the same password on multiple sites. When you do, you allow a compromise of one account to impact all your accounts using the same password. Hackers know that people do this, and they absolutely do try to see if you’re one of those people.
- Remember that changing your password is not enough if your account gets compromised.
- Consider adding two-factor authentication to further protect important accounts.
And I’ll admit it here publicly: I use about five type-in passwords (along with many completely obscure passwords that I never type – like ‘ir8zD16vBdtqr5L’ – which are remembered only by LastPass). The oldest and “least secure” password that I actually type in is at least 15 years old. The newest and most secure, perhaps only two years. And yes, I am transitioning to different and stronger passwords everywhere.
When to change your password
There are some situations where you definitely do want to change your password, but they’re not tied to any schedule or length of time.
- Change your password if you realize that you’ve selected a poor password – be it easy to guess, or too short. Choose a better, more secure password.
- Change your password at the first hint of strange activity on your account. If your account has been hacked, doing this immediately is step one. Then take additional steps to secure your account as well.
- Change your password for an account if you hear reports of, or are notified by, that service having been compromised. If you’ve been using that service as the alternate account for one of your other accounts, consider changing that other account’s password as well.
Automating the process
So, how to automate it?
The only blanket approach I can think of is to simply set a reminder in your calendar and do it. The problem is that changing your password on all your accounts (I have something like 350 in LastPass alone) just isn’t practical. As a result, we skip it.
Using technology is the other approach. There are systems – including Windows itself – that can be configured to require that you change your password according to a set schedule. The problem here is that most password-requiring systems don’t include this type of functionality. For example, the major free email providers do not.
I don’t really have a good solution on “building a good routine”, as you put it.
But as you can see, I’ve also come to the conclusion that perhaps that routine isn’t really as important as we’ve been led to believe.
If I’ve missed something, by all means leave a comment. Password management is too important a topic not to make sure that these kind of assumptions are correct.
The power of determination
I’ll end this with a story I’ve seen happen (and have also overheard in an episode of Security Now!):
A company had configured its Windows logins to require a new password every certain number of days (30, 60, or 90 days seems to be common; I’ll say 30 for example’s sake). It had also configured the system to require that you not re-use your last five passwords. You had to come up with a new one each time.
So one individual, every 30 days, would change his password six times in succession so that his current password would be forgotten by the system and he could use it again.
Yes, he changed his passwords six times in a row, so that he could keep his favorite password unchanged.
Users can be … innovative … at getting what they want.