How often should you change your passwords?

Digital security

And is it really the right question to ask? Here’s what else you should consider when it comes to protecting your accounts.

03 April 2024
•
,
5 minutes. Light

There has been a lot of talk in recent years about the growing potential of passwordless authentication and passkeys. Thanks to the near-ubiquity of smartphone-based facial recognition, the ability to log into your favorite apps or other services by looking into your device (or another biometric authentication method, for that matter) is now a refreshingly simple and secure reality for many. But it’s still not the norm, especially in the desktop world, as many of us still rely on good old passwords.

This is where the challenge lies, because passwords remain a major target for scammers and other threat actors. So how often should we change these credentials to keep them secure? Answering this question might be trickier than you think.

Because password changes may not make sense

Not long ago, it was recommended to rotate passwords regularly to mitigate the risk of theft or covert cracking by cybercriminals. Received wisdom was between 30 and 90 days.

However, times are changing, and research suggests that frequent password changes, especially on a set schedule, may not necessarily improve account security. In other words, there’s no one-size-fits-all answer to when you should change your passwords. Plus, many of us have too many online accounts to comfortably keep track of, let alone invent (strong and unique) passwords for each of them every few months. Furthermore, we now live in a world of password managers and two-factor authentication (2FA) almost everywhere.

The former means it’s easier to store and recall long, complex, and unique passwords for each account. The latter adds a fairly seamless additional layer of security to the password login process. Some password managers now have built-in dark web monitoring to automatically report when credentials may have been compromised and spread to underground sites.

In any case, there are some compelling reasons why security experts and globally respected authorities, such as the United States’ National Institute of Standards and Technology (NIST) and the Kingdom’s National Cyber ​​Security Center (NCSC) United, they do not recommend that people be forced to change their passwords every few months unless certain criteria have been met.

The logic is quite simple:

• According to NIST: “Users tend to choose the weakest stored secrets when they know they will have to change them in the near future.”
• “When these changes occur, they often select a secret similar to the old stored secret by applying a series of common transformations such as increasing a number in the password,” NIST continues.
• This practice provides a false sense of security because if a previous password has been compromised and you don’t replace it with a strong, unique one, attackers could easily crack it again.
• According to the NCSC, new passwords, especially if created every few months, are also more likely to be written down and/or forgotten.

“It’s one of those counterintuitive security scenarios; the more often users are forced to change passwords, the greater their overall vulnerability to attack. What appeared to be perfectly sensible, long-established advice apparently does not stand up to a rigorous system-wide analysis,” the NCSC argues.

“The NCSC now recommends that organizations do not force passwords to expire on a regular basis. We believe this reduces the vulnerabilities associated with regularly expiring passwords, while doing little to increase the risk of long-term password exploitation.”

When to change your password

However, there are several scenarios that require a password change, especially for more important accounts. These include:

• Your password was involved in a third-party data breach. You will likely be notified about this by the provider itself, or you may have signed up for such alerts on services like Have I Been Pwned, or you may be notified by your password manager provider who runs automated checks on the dark web.
• Your password is weak and easy to guess or crack (for example, it may have appeared in a list of common passwords). Hackers can use tools to try common passwords across multiple accounts in the hope that one of them will work, and in most cases they succeed.
• You reused your password across multiple accounts. If any of these accounts are compromised, threat actors could use automated “credential stuffing” software to open your account on other sites/apps.
• You have just learned, for example thanks to your new security software, that your device has been compromised by malware.
• You shared your password with another person.
• You just removed people from a shared account (for example, former roommates).
• You are logged in on a public computer (for example, in a library) or on another person’s device/computer.

Advice on password best practices

Consider the following to minimize the chances of account theft:

• Always use complex, long and unique passwords.
• Keep the above in a password manager that will have a single master credential to log in and can automatically recall all your passwords across any site or app.
• Keep an eye out for password breach alerts and take action immediately upon receiving them.
• Enable 2FA whenever it’s available to provide an extra layer of security to your account.
• Consider enabling passkeys when they are offered for secure, seamless access to your accounts using your phone.
• Consider regular password checks: Check passwords for all your accounts and make sure they aren’t duplicates or easy to guess. Edit weak or repeated ones, or ones that might contain personal information like birthdays or pets.
• Don’t save passwords in your browser, even if it seems like a good idea. That’s because browsers are a popular target for threat actors, who may use information-stealing malware to capture your passwords. It would also expose your saved passwords to anyone else using your device/computer.

If you’re not using the random and strong passwords suggested by your password manager (or ESET’s password generator), check out this list of suggestions from the US Cybersecurity and Infrastructure Security Agency (CISA). We recommend using the longest password or passphrase allowed (8-64 characters) where possible and including uppercase and lowercase letters, numbers and special characters.

In time, it is hoped that passkeys – with support from Google, Apple, Microsoft and other major players in the technology ecosystem – will finally signal the end of the password era. But in the meantime, make sure your accounts are as secure as possible.