Today I did some interesting research regarding if changing your passwords every year, quarter, month really help increase security or if that theology is more of a myth than fact. I started my search expecting to find supporting reasons why so many different companies deploy the use of mandated frequent password changes, however came away rather surprised by the results. What does the research show?
The strongest password is a single-use password, where the password is only valid for one use, and then is no longer functional (these are typically generated by some sort of a key fab or issued device that will provide you with a key for the system you are accessing). So, in order to have the best security, you should change your password after the first time you use it!
As that is rather unlikely for the average user, the frequency that you should change your password depends on:
- How strong the password is – can it be easily guessed? is it an english word?
- What type of method if being used to communicate the password to the authentication system – local computer vs. open Panera Bread wifi over unsecure http
- How sensitive the information is that the password is protecting – banking account information vs. your music collection
Therefore, some may argue that you should change your password monthly, quarterly, yearly, never, etc., however the above statement is still true, that the strongest password security is a password that is only valid for one use, and then discarded.
The belief that solely changing passwords every month, quarterly, yearly will result in stronger security is a myth because:
- Hackers will immediately exploit a password once cracked, not wait 6 months to utilize it. Therefore, damage has already occurred by the time a password change is required.
- Users will tend to create password patterns when in a ‘forced update’ environment, therefore making password easier to guess. (I.e. Password1, Password2, Password3, etc.)
- Users will also tend to write down frequently changed passwords on a PostIt or location that is insecure, thus making passwords easier to be physically leaked/discovered.
REGARDLESS! You should always verify that you are using a strong password that is difficult to crack/guess. (According to this, my latest password will take ‘a trillion years’ for a desktop computer to crack).
Security Myths and Passwords
by Gene Spafford, Purdue University
Study: Frequent password changes are useless
Christopher Null, Yahoo! News
Myths about Password Strength
Dr. Eugene Schultz, Emagined Security CTO
The Only Secure Password Is The One You Can’t Remember
Troy Hunt, Lifehacker