Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations. See how we sustain our work & review products.
Does Changing Your Password Increase Security?

Does Changing Your Password Increase Security?

By István F.István F. Verified by Adam B.Adam B. Last updated: July 17, 2024 (0)

Many users have to remember multiple passwords as they use different passwords for their various applications or are forced to change them frequently because of expiry mechanisms. For the past quarter of a century the longstanding security practice has been that users need to change passwords periodically; called a password aging policy, it forces users to change passwords within fixed intervals such as every 30 days, 90 days, or six months.

The problem

The reasoning behind this security practice is clear and simple: it limits the timeframe that cyber criminals have to access an account if, for some reason, they were able to obtain the password or a hint and attempt to crack into the account.

The unexpected issue, however, is that after security researchers started analyzing the results of such a password policy, they were surprised to find that instead of making passwords more secure, users leaned towards using variations of the same password.

After analyzing thousands of real-world passwords, researchers at the University of North Carolina at Chapel Hill noticed that users tended to create passwords that followed a certain pattern. This means that if the pattern is identified by a would-be hacker, then the password can easily be guessed. This habit is called “transformation” and refers to the method of adding an incremental number or changing a letter to a similar-looking symbol, adding or deleting a special character, or switching the order of digits or special characters.

The annoyance

While the theoretical gains to personal security are positive, in actuality password aging policies place a burden on users trying to comply with them. A white paper published by researchers at Carleton University quantifies the impact of password expiration policies and the results aren’t what you’d expect.

How to make a strong password you can remember

It is a fact that forced password changes will help to prevent access by unauthorized parties who somehow managed to gain possession of an account password. However, the measure provides little help against a variety of other attacks, such as keylogging software installed on a target computer, phishing scams, or even malware that renders subsequent password changes useless. Password aging policies actually put extra stress on the user, which in most cases ends up resulting in weak passwords as users know that another prompt will appear eventually anyway.

As a result, this password policy does more harm than good because it makes passwords easy to guess, especially with the availability of sophisticated password cracking software. Since computer hardware is constantly getting boosts to performance, password cracking becomes more and more efficient and faster with each passing year, resulting in the need for stronger and more unique passwords for every account.

When do you need to change your password?

What all this means is that you should still change your passwords, but not as often as you might think. The debate is still ongoing within the security community but as Yigal Unna, Director General of Israel National Cyber Directorate, joked during a keynote presentation at the Israel Cyber Week, passwords aren’t like underpants: you shouldn’t change them frequently.

Even if you apply good password hygiene, meaning that every account you create has its own unique and cryptographically secure password generated by a password management application or your own recipe, you still need to change the password from time to time.
For example, you should change your password if you think you were the target of a phishing scam or if someone was looking over your shoulder while you were typing in a password. The password should also be changed if you shared it with someone else – even a trusted friend, because you don’t know what kind of security measures they apply. And especially you should change your password if you think it is weak or was stolen.

Password management applications have a neat feature that keeps an eye on data breach reports and they will notify users if a password change is needed due to a data leak. Users will also receive a notification if the password added in the ‘password bucket’ is weak or old, and changing it requires only a few clicks. It’s so easy, it’d be foolish not to use it.


Best password managers of 2024

Editor's choice
RoboForm logo
Editor's rating:
(4.5)
Effective security center
Passkey compatibility
Intuitive and organized interface
Affordable prices
Families
LastPass logo
Editor's rating:
(4)
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses
1Password logo
Editor's rating:
(4.5)
End-to-end encryption
Secure authentication method
Data breach alarms
One-time password support
Security features
Keeper logo
Editor's rating:
(4.5)
Robust security
Wide range of platform support
Affordable
Great customer support
Personal use
NordPass Personal logo
Editor's rating:
(4.5)
Strong security features
Effective password generator
Excellent free version
Attractive price
Password sharing
Dashlane logo
Editor's rating:
(4)
Password changer
Built-in VPN
Flawless data import
Thorough iOS/Android app
Local storage
Enpass logo
Editor's rating:
(4)
Packed with features
Free for desktop users
Offline password manager
End-to-end encryption
User Feedback

 Leave a reply

Your email address will not be published. Required fields are marked *


Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2024 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us