Since the beginning of time, security experts have been telling you to change your password periodically. And they’re right. It’s a reasonable precaution if you’re a company with 1,000 employees trying to mitigate every risk possible. But as a regular user, changing all your passwords every month, without a serious reason, is tricky and doesn’t enhance your security. Actually, it makes things worse. Here’s why:
Changing all your passwords every month is impractical. An employee has one, maybe two passwords to manage but an average user has 100 online accounts, each with its own password. That includes e-mail accounts, social media accounts, online shopping accounts and many others. Also, you probably have smart devices in your home that need a password. It’s unlikely you have the time or will to change all your passwords on a monthly basis. Moreover, all those passwords must be unique for each account, each month, you can’t repeat yourself and you’re supposed to remember them all. Which brings us to the next delicate problem.
Changing your passwords every month is useless, if all your passwords are weak. A 10-character password made up of only numbers can be brute-forced instantly. On the other hand, a 10-character password that uses numbers, upper- and lower-case letters and symbols, requires five years to crack, and an 11-character password, following the same pattern, requires 400 years to crack. That’s why, when choosing a password, longer is always better, and every extra character makes a big difference. But that’s not all: while names, phone numbers and dates of birth are easy to remember, try not to include them as they’re also easy to guess. Reusing an old password is convenient, except it’s dangerous because it might have been leaked in the past. Finally,if you use the same password for more than one account, come prepared: if one of those accounts is hacked, an attacker can take over all your accounts.
Changing your passwords every month is not enough. Even with the strongest password, accidents can still happen: your password leaks in a data breach, you get infected with password-stealing malware or you’re targeted by a phishing attack. If that’s the case, a password can’t help you. However, by adding multi-factor authentication (MFA) to your account, you can reject an attack 99.9% of the time. MFA consists of supplementing your password with another form of authentication, like a code generated on your phone, or a physical USB key, so that even if your password is compromised an attacker still can’t access your account.
Changing your passwords every month can be dangerous, because it gives you a false sense of security. Passwords are used by real people, not by theoretical models, and when real people need to change their passwords monthly, they look for shortcuts. They reuse old passwords, choose weaker passwords or create passwords they can remember easily. By trying to make their passwords better, they inadvertently make them worse.
In conclusion, instead of changing your passwords every month, it’s more important to use strong, unique passwords in a multi-factor authentication regime, and only change them when necessary.
A password manager can help you organize everything, because it generates randomized passwords for all your accounts, keeps them secure, fills in your passwords for you and saves you from having to memorize everything.
When should you change your password immediately?
- If it’s a default password. Always replace default passwords with strong, unique, randomized passwords. A password manager can help.
- If you know your old password is weak, or if you know it’s a password you’ve reused on multiple accounts.
- If your account has been involved in a data leak. Generally, you’re notified. But, to be on the safe side, use Digital Identity Protection, a service that alerts you in real time if any of your accounts have been breached.
- If you’ve been recently infected with malware.
- If you notice unusual behavior regarding your accounts or if you have reason to believe your password was exposed