How Frequently Should You Change Your Passwords?
Phil Muncaster, the guest writer at ESET, probes whether that is the right question to ask and suggests what else you should consider when it comes to keeping your accounts safe.
Much has been made over the past few years about the growing potential in passwordless authentication and passkeys. Thanks to the near-ubiquity of smartphone-based facial recognition, the ability to log into your favourite apps or other services by looking into your device (or another method of biometric authentication, for that matter) is now a refreshingly simple and secure reality for many. But it’s still not the norm, especially across the desktop world, with many of us still relying on good ol’ passwords.
This is where the challenge lies – because passwords remain a major target for fraudsters and other threat actors. So how often should we change these credentials in order to keep them secure? Answering this question may be trickier than you think.
Why password changes may not make sense
Until not too long ago, it was recommended to regularly rotate passwords in order to mitigate the risk of covert theft or cracking by cybercriminals. The received wisdom was anywhere between 30 and 90 days.
However, the times they are a-changing and research suggests that frequent password changes, especially on a set schedule, may not necessarily improve account security. In other words, there isn’t a one-size-fits-all answer to when you should change your password(s). Also, many of us have too many online accounts to comfortably keep track of, let alone come up with (strong and unique) passwords for each of them every few months. Also, we now live in a world of password managers and two-factor authentication (2FA) almost everywhere.
The former means it is easier to store and recall long, strong and unique passwords for every account. The latter adds a fairly seamless extra layer of security onto the password login process. Some password managers now have dark web monitoring built in to automatically flag when credentials may have been breached and circulated on underground sites.
At any rate, there are some compelling reasons why security experts and globally respected authorities, such as the US National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC), do not recommend that people are forced to change their passwords every few months unless certain criteria have been met.
The rationale is fairly simple:
- According to NIST: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future”.
- “When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password,” NIST continues.
- This practice provides a false sense of security because if a previous password has been compromised and you don’t replace it with a strong and unique one, the attackers may easily be able to crack it again.
- New passwords, especially if created every few months, are also more likely to be written down and/or forgotten, according to the NCSC.
“It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis,” the NCSC argues.
“The NCSC now recommend organizations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords while doing little to increase the risk of long-term password exploitation.”
When to change your password
However, there are several scenarios that necessitate a password change, especially for your most important accounts. These include:
- Your password has been caught in a third-party data breach. You will likely be informed about this by the provider themselves, or you may have signed up for such alerts on services such as Have I Been Pwned, or you might be notified by your password manager provider running automated checks on the dark web.
- Your password is weak and easy-to-guess or crack (i.e., it may have appeared on a list of most common passwords). Hackers can use tools to try common passwords across multiple accounts in the hope that one of them works – and more often than not, they succeed.
- You have been reusing the password across multiple accounts. If any one of these accounts is breached, threat actors could use automated “credential stuffing” software to open your account on other sites/apps.
- You have just learned, for example thanks to your new security software, that your device was compromised by malware.
- You have shared your password with another person.
- You have just removed people from a shared account (e.g., former housemates).
- You have logged in on a public computer (e.g., in a library) or on another person’s device/computer.
Best practice password advice
Consider the following in order to minimize the chances of account takeover:
- Always use strong, long and unique passwords.
- Store the above in a password manager which will have a single master credential to access and can automatically recall all of your passwords to any site or app.
- Keep an eye on breached password alerts and take immediate action after receiving them.
- Switch on 2FA whenever it is available to provide an additional layer of security to your account.
- Consider enabling passkeys when offered for seamless secure access to your accounts using your phone.
- Consider regular password audits: review passwords for all of your accounts and ensure they are not duplicated or easy to guess. Change any that are weak or repeated, or ones that may contain personal information like birthdays or family pets.
- Don’t save your passwords in the browser, even if it seems like a good idea. That’s because browsers are a popular target for threat actors, who could use info-stealing malware to capture your passwords. It would also expose your saved passwords to anyone else using your device/computer.
If you don’t use the random, strong passwords suggested by your password manager (or ESET’s password generator), consult this list of tips from the US Cybersecurity and Infrastructure Security Agency (CISA). It suggests using the longest password or passphrase permissible (8-64 characters) where possible, and including upper- and lower-case letters, numbers and special characters.
In time, it is hoped that passkeys – with the support of Google, Apple, Microsoft and other major tech ecosystem players – will finally signal an end to the password era. But in the meantime, ensure your accounts are as secure as possible.