One of the most frequently asked questions we get from readers is “How often should I change my passwords?” But our answer may sound somewhat surprising: not as often as you might think.
Nowadays, when we read about security breaches and password leaks on an almost daily basis, the frequency of changing passwords may have accelerated slightly. That doesn’t mean users need to change their passwords every week or even every month. However, when you see a prompt – such as those you might have had from Yahoo or LinkedIn after they were hacked – we recommend taking that seriously and changing the password to a more secure one. But what happens when people try to comply with the new security requirements imposed by some online services, which prompt them to change their passwords frequently?
Password expiry
The practice of expiring passwords has been a staple of computer security administration for quite some time now. The basis of this practice is the belief that frequent password changes will leave little room for a hacker to act and crack the account, due to the ‘limited time’ factor.
By doing so, instead of adding an extra layer of security, the newly adapted password eases the work of hackers, as they – using sophisticated methods such as deep learning and neural networks – can easily guess the password of the targeted user.
The impact of password expiration policy
In a paper entitled “Quantifying the Security Advantage of Password Expiration Policies”, researchers at the School of Computer Science, Carleton University in Ottawa, Canada have demonstrated mathematically that password expiration policies may hamper cyber criminals a little bit, but not enough to offset the inconvenience to the users. The UNC research has demonstrated that once an attacker knows one password, it’s often an easy task to guess the user’s next password, thanks to the transformation patterns these users usually follow.
The problem is that when prompted to change the password, users relying on their creativity will likely follow the patterns noticed by the UNC researchers, by re-using the old password in some way, either by changing a couple of characters to a similar-looking symbol, or moving numbers from front to back or vice-versa. This makes password guessing an easy task using sophisticated tools such as password-guessing software or neural networks.
How password managers can help
That changes with the use of a password manager. Users don’t have to come up with a new password on their own because these services have password generating features that can generate unique passwords based on selected rules: the number of characters, symbols, or words can all be altered. Based on the password generation algorithm that password managers use, a new password is born and it won’t have anything to do with the old one, which renders password-guessing tools useless in this context.
Along with securing user accounts with strong passwords, these services also remind users to change their passwords by notifying them of the length of time a specific password has been in use. And when the user goes to update a password, they can do so easily with one click and the stronger password will take the old one’s place without the hassle of having to remember it, which is particularly difficult if such a credential contains a wider set of character data to comply with the latest password security requirements.
Every password shorter than 12 characters is considered weak, and even then they will have to comply with another set of rules, such as using lowercase and uppercase alphabetic characters, numbers and symbols, avoiding character repetition, and much more. Human-generated passwords will struggle to match these security requirements, and that’s what password managers achieve on a professional level. By taking the burden of remembering that unique password off your brain, they offer the convenience of strengthening your overall password security with just a few clicks.
István F.
Adam B.
User feedback