In the past, experts used to warn people to change your “strong, unique” passwords frequently. However, in recent years, the “techxperts” have changed their tune and call that an outdated way of thinking.
As PCMag reports, when the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, they used a lot of science-talk to discuss information security standards and “memorized secrets”—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: “Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”
The NIST report also included an appendix about the Strength of Memorized Secrets, which discusses how it’s almost impossible for people to memorize passwords if they have forced “composition rules,” such as including a symbol, an uppercase letter, a numeral, etc.
“The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe,” NIST said. The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)
Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password/phrase.
NIST agrees; its 2024 update to the Digital Identity Guidelines recommends password managers and has other suggestions for services and organizations that require passwords. Those include enabling “show password” since it’s highly unlikely anyone is hovering behind you to write it down, plus that reduces typing mistakes; locking out users after multiple failed attempts; monitoring for the use of dumb, over-used passwords; and employing multi-factor authentication.
How Often Should You Really Change Passwords?
That standard advice of changing your password every few months to a year is ingrained in most articles on the subject. A Google search on “how often should I change my password” returns a first result reading “every three months.” Most sites and articles say the same, with a few exceptions. And Feb. 1 is Change Your Password Day!
If you don’t follow those guidelines, the experts say you can stop feeling guilty about it. Tech experts have been saying for years to quit making regular password changes. It’s time we listened. As long as your password is already reasonably strong and unique to every site and service, changing it frequently is not much help to you.
Unless it’s compromised in a data breach, of course, then change it immediately.
This isn’t going to stop certain entities from forcing you to change your password. Your boss or bank may take some persuading to cease showing that dreaded “Please enter a new password to continue” message every few months. They probably won’t let you re-use a password either, even if it was the strongest you’d ever created. They’re probably also going to continue to limit size and require special characters. Sorry.
But if you have a really good password for a service or account, you can probably keep it for life (or until there’s a breach). Just ensure it’s long, strong, and unique to the service.
—
Photo Credit: Tero Vesalainen / Shutterstock.com