Do I Need to Change My Passwords Every Few Months?
Your password is too old, and you must change it. If you've been on the Internet for long enough, you've probably heard this advice. But does it still hold water?
It's an important question that, unfortunately, doesn't have one definitive answer. In some cases, it could be a really good security practice. In others, it might increase the risk of having your accounts compromised. Here's a deeper look into the subject.
In 2016, some bad guys went on the Dark Web and started selling a database containing millions of MySpace usernames and passwords. Let's assume that your account was in that database. This meant that anyone with some spare cash in their wallet was able to "buy" your login credentials and compromise your account. If your MySpace password was reused elsewhere, the potential repercussions were much, much more serious than someone having access to what is probably a dormant account on an all but dormant social network.
Unless, of course, you change your passwords frequently. You see, although it appeared on the Dark Web in 2016, the data, it later turned out, had been stolen long before that. In fact, analysis showed that it dates back to 2008. When it was put up for sale, the database presented no threat to the people who change their passwords regularly because the login credentials associated with their accounts were long outdated.
The moral of the story, it seems, is, change your passwords regularly and you have a better chance of protecting yourself against an account takeover. Unfortunately, there's a bit more to it than that.
First of all, although hackers started selling the database in 2016, someone probably had their hands on it long before that, someone had plenty of time to do a lot of damage. And let's not beat about the bush, for most users, changing a password is a hassle. Changing a lot of passwords is an even more unpleasant chore, and websites and online services don't help much with their often convoluted password changing mechanisms. We don't even want to go into the problem of resetting the new password because you've forgotten it. As a result, people that do want (or are forced) to follow the "change your passwords frequently" advice resort to patterns (i.e., changing one or two symbols and keeping the larger portion of the old password intact).
Your new password might end up being weaker than the one it replaces which puts you at risk. In addition to this, as we all know, hackers have a lot of spare time on their hands, which means that, if they're motivated enough, they'll search for a pattern that lets them guess your new password based on the old one. If they're clever (and some of them tend to be quite clever), they might find it and still manage to break in.
Speaking of motivation, if attackers manage to break into your social media account, they might spend some time browsing through your photos and private conversations. If a hacker obtains your login details for, say, your bank account, however, they'll be much more eager to get in and siphon money away before you can do anything about it. In such cases, having a password changing schedule doesn't help that much.
This is exactly what causes the controversy. Years ago, the Internet was a different place, and the hackers' goals when compromising systems and users were also different. Back then, stealth was the name of the game whereas right now, this is rarely the case. Which is why experts, companies, and institutions have had a change of heart when it comes to their opinion on frequent password changes.
In 2009, Cormac Herley, a principal researcher at Microsoft Research, said that regularly changing passwords "amplifies the burden for little gain." A year later, cryptographer and computer security expert Bruce Scheiner also spoke out against strict password changing policies. More recently, UK's National Cyber Security Centre issued its Password Guidance which also says that "regular password changing harms rather than improves security."
So, the experts have spoken: Stop changing your passwords every few months. Well, once again, there's a bit more to it than that.
If you use weak passwords, you should change them immediately. If you think that one of your passwords might have been compromised, you should change it immediately. What the experts aren't convinced about is changing passwords that are not under immediate threat. They reckon that the hassle of doing it leads to easy-to-guess patterns and password reuse. And they do have a point.
You can probably create and remember a relatively long and complicated password. Several weeks later, you should have no problems swapping it for another relatively long and complicated password, and although it will be a bit of a struggle remembering it, you'll probably manage. This is the effort for just one account, however, and chances are, you have tens or even hundreds of different accounts. If they are to remain secure, each of them will need its own password that's both strong and unique. Human beings simply aren't capable of creating and remembering so many passwords. And yet, as we've established already, updating passwords can save you under the right circumstances. This is where Cyclonis Password Manager comes in.
The Password Analyzer, the first feature you see when you log into your account, checks the time elapsed since you've created or entered each and every one of your passwords into your personal vault and brings to your attention the ones that have been there for a while. There's a handy Go to site button that lets you directly log into the account with the old password. Once you're in, you can use Cyclonis Password Manager's built-in Password Generator to create a new one that will be unique and impossible to guess. The generator lets you create a password that's strong, and, crucially, is not related in any way to your old one. When you're done with the change, Cyclonis Password Manager's browser extension will ask you if you would like to save the new data in your vault, and clicking the Update button completes the process. It's as simple as that.
In other words, the hassle of having to create tens of unique passwords every few weeks is gone. At the same time, the benefits of having fresh passwords that are strong and impossible to guess are there. So, this brings us back to the original question – Should you regularly update your passwords?
Doing it can't guarantee that you'll be 100% safe. Nothing can. When a data breach happens, there are a number of things that come into play and determine whether or not your account will be compromised. These include how motivated the hacker is, how the vendor stores your password, and what security precautions it has in place. Whether or not your password has recently been changed might not necessarily be among the factors. When you have the convenience of a tool that significantly reduces the time and effort needed to change the old passwords for strong new ones, however, it makes sense to update them every once in a while.