How often have you heard that you should change your passwords regularly, like every 30, 60 or 90 days? Maybe at least once every six months? Well, here’s some good news for you: doing so doesn’t improve security. In fact, it makes matters worse. See, in the early days of computers and the Internet, most users only had one, or a very limited number of accounts to care for. We didn’t post much about our personal lives online either. No videos, no selfies, no online banking available.
Today that has completely changed. Not only do many of us post personal information online every day but we also do so from different devices, locations and accounts. With an increasing number of accounts, we also tend to use the same passwords across a variety of services. Hackers know this, and they increasingly use this knowledge to compromise our personal information and valuables. On average, any adult person will have at least 20 – 25 different accounts with corresponding passwords to manage.
If we could actually remember 25 strong, unique passwords for those accounts, that would be great. Add to that a requirement of changing every password to a new and unique password every 30 or 60 days, and research shows that most of us will revert to creating very simple and incremental passwords. Passwords that are reused across many different services – Facebook, banking, work email, shopping, health and insurance.
To make the burden of passwords a little easier, we suggest that you stop changing your passwords frequently. Instead you should create a sentence as your password for each service. Something positive that you want to remember. A simple sentence will do, as it naturally contains upper- and lowercase and special characters. The space between words is a special character and so is punctuation.
Write down your passwords and store them some place safe at home away from your computer. If you are comfortable with computers and software, consider using a software password manager – it will generate and remember passwords for you and can even enter them for you into login forms online.
If a service, website or software doesn’t accept strong passwords, you should complain to the service provider. There is absolutely no reason this shouldn’t be possible, it is bad security and they should fix it. You are not to blame for bad security and you should not have to face the consequences of their deficiency.
Last but not least: if an online service allows you to use two-factor authentication, we strongly advise you to use it. Two-factor authentication is a mechanism that requires you to enter an additional piece of information with your username and password to log in. Usually it will be a very short code received by text message or an app on your device. Two-factor authentication makes it very hard for any hacker to gain access to your accounts. Please visit https://twofactorauth.org/ to learn more about two-factor authentication, check if the online services you use support it and find user guides on how to configure it.
About the Author
Per Thorsheim has more than 20 years of information security experience and is an internationally recognized password and authentication security expert. He broke the news of LinkedIn being hacked in 2012 and received worldwide attention for his statements on the right to privacy following the hacking and blackmail attempts against Ashley Madison members in 2015. He is the founder and main organizer of PasswordsCon, the world’s first and only conference dedicated to passwords and digital authentication. First started in 2010, this conference brings together researchers and security professionals from all over the world to improve the security of the most common computer challenge anywhere. He is a proud member of ISACA and (ISC)2 and currently holds the CISA, CISM, CISSP and ISSAP certifications.