How often should you change your password? Lately I get asked that question a lot, usually by people annoyed at their employer’s or bank’s password expiration policy. Lots of organizations require mandatory password changes because it’s long been considered a security “best practice.” However, there are pros and cons to that rule, so before you decide if you need to regularly change your other passwords, let’s take a look at the times when changing your password often makes sense—and when it doesn’t.
Most computer experts and on-line security professionals recommend changing your Internet passwords and account login information at least once every three months. Changing all of your passwords every three to six months can be a time-consuming task, but it is a sure way to guarantee some level of safety for all of your on-line accounts. It is not the only safety precaution that should be considered for your login information, however. Whether you bank on-line or you are just sending a few simple emails, secure passwords are essential. It is also important to keep them all private. Avoid writing them down, even in your own home. Writing down a password is a quick way for an unauthorized person to gain access to your login information and every part of your on-line life.
The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-to-remember or easy-to-guess passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.
If a hacker gets your password either by guessing or stealing it, he can access your network as long as your password is valid. If you have to update your password every quarter, that significantly limits the utility of that password to the attacker.
At least, that’s the traditional theory. It assumes a passive attacker, one who will eavesdrop over time without alerting you that he’s there. In many cases today, though, that assumption no longer holds. An attacker who gets the password to your bank account by guessing or stealing it isn’t going to eavesdrop. He’s going to transfer money out of your account — and then you’re going to notice. In this case, it doesn’t make a lot of sense to change your password regularly — but it’s vital to change it immediately after the fraud occurs.
- The longer you keep the same password, the easier it is for someone to access your private data.
- Passwords should be at least eight characters in length, preferably 14 characters or longer. The more complex the password, the less likely it is to be stolen.
- Never use the same password for all your accounts, including ATM cards, credit cards and on-line access. Also, avoid using family or pet names, because these are the easiest passwords for thieves to guess.
- Keep your passwords secret. If you have difficult remembering them, change them to something you can recall but difficult for thieves to guess. You can use common words or phrases but substituting certain letters with other characters, using upper-case as well as lower-case. For example, “mypassword” might read “m^P@$$W0rd“
Check how strong is your password! You should always verify that you are using a strong password that is difficult to crack/guess. (According to this, my latest password will take ‘a thousand years’ for a desktop computer to crack).