Password Security: Are Frequent Password Changes Necessary?
Passwords are the bane of computer users’ existence. There are only a few things less irritating than being stopped in your online tracks because you forgot your password. Then you have to take more time out of your lunch break to set up a new one so you can finally get on with what you were doing. Everyone that has been online can feel the pain.
Passwords, What Are They Good For?
Oh how the world has changed my friend! Passwords, it turns out, might not be as good as they’re cracked up to be. It all depends on you, the computer savvy password maker. Unique, strong passwords are worth their salt, even without two-factor authentication to back them up.
Conventional wisdom would have us think that strong passwords should have a mix of digits, special characters, and letters. According to Wired.com, this isn’t always the case. Expert Mark Burnett stated that “Usually all it takes is a password just two characters longer to make up for a lack of other types of characters such as upper-case, numbers, or symbols”. Passwords of at least twelve, and up to fifteen, characters in length are recommended if the password is not machine generated.
Until a better way to do things comes along, passwords will be a part of our daily lives. Debates continue to rage over whether password complexity or length is better. Many organizations, including the FBI, are betting on length.
The U.S. Department of Commerce’s National Institute of Standards and Technology recommends that “everyone…use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters. Only require password changes when there is a reason to believe your network has been compromised“.
The Benefits of Machine Managers
Let your computer take the headache out of password creation. Password managers are relatively safe alternatives to creating passwords yourself. Depending on the person, letting a password manager take over for you might be the best way to protect your accounts. Computer purists that swear by the old school edict of changing passwords frequently are in for a rude awakening.
The Better Business Bureau spearheaded National Password Day until March 15, 2019. As of this writing, that wasn’t too long ago. The Bureau was encouraging computer users to “keep a paper list of your passwords in a safe place, not on or near your computer” as recently as January 2020. To give them credit, at least they now recommend that passwords should be “long and strong”.
One of the many reasons that changing passwords frequently and without cause is a bad idea, is humans’ love of shortcuts. Anytime humans are forced to do something monotonous on a regular basis, they find a way to simplify the task. Shortcuts are not good when it comes to password security.
Human memory, or the lack thereof, is the next best reason for putting a limit on the password changing. We just can’t keep track of them. This leads us to more drastic displays of difficulty such as writing all our passwords on a sticky note that we keep on our monitor. Oh wait, I forgot, what’s a monitor?
Which brings us up to the 21st century which sees most of the humans using mobile devices. The mobile devices are also storing our passwords…in the cloud. Our accounts are seamless over multiple devices that all know our passwords. Password managers are still a viable option for those who want extra security.
Having a unique password that is not shared among multiple accounts is still prudent. What trumps even an excellent password, is that same password coupled with two-factor authentication mentioned in the beginning of this article. Two-factor authentication (2FA), according to Dan Rafter for us.norton.com, is important because “with two-factor authentication enabled…you get an extra layer of security that cyberthieves can’t easily access, because the criminal needs more than just your username and password credentials”.
Banks and larger institutions are using two-factor authentication, but what do you do when it’s not available? Is your information secure with just your password? This is when machine generated passwords can make all the difference. Password managers such as LastPass and 1Password, or even using Apple’s password generator are good ways to add a layer of security to your accounts.
One recommendation that has remained constant with regard to password changes, is to change your password if you suspect your account has been breached. This is essential. It will hopefully limit the criminal activity in your account to a small time frame. Contact us for more information on how to increase protection for your online presence.
Eric is a Business IT cybersecurity advisor, consultant, manager, integrator, and protector who founded EVERNET in 2007. Eric co-hosts a podcast called “Finance and Technology Insights by Brian & Eric” on YouTube. Eric is a regular contributor to the EVERNET blog, writing about the latest technology news and providing his expertise in cyber security prevention and management.