How Often Should You Change Your Password?

Published On 
May 15, 2023

Securing online networks is a critical task for many organizations, and numerous strategies are in place to strengthen this, such as password updates. So, how frequently should a password change be? Are you still using your university-era password without any intention to change it?

You’re not alone in this practice, yet it doesn’t mean it’s safe. It’s also fascinating to note that some individuals find the process of changing passwords as daunting as retirement, hence they stick with the same or similar passwords for an extended period. They may not realize that failure to change passwords or reusing them could expose them to numerous online security risks.

A surprising 66% of people utilize the same password across various online accounts, and 75% find managing and remembering these passwords a cause for stress. The unpleasant reality is, if you think changing your password is tiresome, understand that such an action could be the sole barrier between your organization’s confidential data and unauthorized access.

Why Should I Change My Password?

The practice of enforcing frequent password changes amongst employees might be part of your company’s network security strategy. But have you ever wondered if this practice may inadvertently make your systems more vulnerable? The reality is, when employees are obliged to frequently change passwords, they may not invest sufficient thought into creating strong new ones.

Most people tend to form passwords that follow patterns termed as “transformations.” These include altering the order of special characters or digits, incrementing a number, adding or removing a special character, or replacing a character with a similar-looking symbol. These methods are common coping mechanisms for frequently scheduled password updates, which is understandable given how our minds operate.

Nonetheless, to mitigate the risk of online attacks, the answer lies in creating unpredictable passwords. These are challenging to both generate and remember. The key takeaway is to ensure your employees are using robust passwords, otherwise they may remain the weakest link that hackers exploit to gain access to your business systems.

When Should You Change Your Password?

It’s true that changing your password when it falls into the wrong hands can block their access to your company’s network infrastructure. This is why many companies enforce a schedule for employees to change their passwords regularly. However, this approach may lead to poor password practices, including:

If You Believe Your Device Is Compromised

Should you suspect that one of your accounts, such as your social media or email account, has been hacked, it is recommended to immediately change the password. Similarly, if your device like a tablet, computer, or phone has been infected with malware or compromised, change the device’s password and that of any accounts you access from that device.

During a Data Breach

The moment you learn that your organization’s data is part of a data breach, promptly change the compromised password and do the same for any other accounts using that password. This is because a hacker will attempt to use breached passwords elsewhere online to discover what else they can access. This practice is referred to as credential stuffing. Therefore, using unique passwords for your accounts is recommended.

Moreover, a reliable password manager can notify you instantly in the event of a data breach involving your email address, including details about the nature of the attack. Consequently, you can identify which password you need to change.

As Part of a Scheduled Routine

Changing your password regularly is a good practice because it works on the assumption that your account is compromised (and you don’t know it yet) or that a bad actor is attempting to hack your password. We’ll learn more about how passwords are hacked next.

How Are Passwords Hacked?

Cybercriminals employ a variety of password-hacking techniques. Perhaps the easiest is buying passwords from the dark web. Understand that hackers profit considerably from acquiring and selling login passwords and credentials on the black market. This means that if you have been using the same password for several years, it’s likely already compromised.

However, if you manage to keep your passwords off aggregated black-market lists, cybercriminals have to resort to cracking them. Here are some of the tactics they employ to gain access to passwords:

  • Phishing: This is a method where hackers trick users into revealing their passwords. This usually involves sending a fake email or message that looks like it’s from a trusted source, like your bank or a social network, and asking you to enter your password on a bogus website.
  • Social Engineering: This refers to manipulating individuals into revealing their confidential information. The attacker might impersonate a colleague or a customer service representative to get you to share your password.
  • Malware: This includes spyware, keystroke loggers, and other malicious software that can capture your keystrokes and send them back to the hacker, revealing your password.
  • Dictionary Attack: This is a technique where attackers use a list of common passwords and dictionary words to guess your password. If your password is a common word or phrase, it could be susceptible to a dictionary attack.
  • Guesswork: Here, a hacker attempts to guess your password based on the information they know or can find about you, such as your birthday, pet’s name, or other personal details.

How to Create A Strong Password

Creating a strong password is essential to securing your personal information online. Here are some best practices you should consider:

  • Length Matters: The longer your password, the more secure it is. Consider making your password at least 12 characters long.
  • Use a Mix of Characters: Combine uppercase and lowercase letters, numbers, and symbols. This adds complexity to your password and makes it harder to crack.
  • Avoid Common Words and Personal Info: Try not to use common words, phrases, or personal information (like your name or birthday) that could be easily guessed by someone who knows a bit about you or by an algorithm trying common words.
  • Consider Passphrases: Instead of thinking about a password, consider a passphrase. These are longer, but can be easier for you to remember. For example, “BlueBananaBootsFlyToTheMoon!” is very quite strong. It would take an attacker making 100 trillion guesses per second 14 billion years to crack.
  • Don’t Recycle: Don’t use the same password across multiple sites. If one site gets compromised, all your accounts will be at risk.
  • Use a Password Manager: A password manager is a tool that generates and stores complex passwords for you. You only have to remember one master password, and the manager does the rest.
  • Enable Two-Factor Authentication (2FA): While not part of the password, enabling 2FA adds an additional layer of security. Even if someone does get your password, they won’t be able to access your account without the second factor, which could be a code sent to your phone or biometric data like your fingerprint.

Never Use the Same Password Twice

A password manager is a software application that helps to maintain, generate, retrieve, and secure complex passwords for a user’s various online accounts. It provides a convenient and secure solution to the problem of remembering multiple complex passwords. Here are some reasons why a password manager improves password security:

  • Generates Strong Passwords: Password managers typically have a built-in password generator that creates long, complex, and random passwords. These passwords are much stronger than what most people would come up with on their own, and they are difficult for attackers to crack.
  • Stores Passwords Securely: Password managers store all passwords in an encrypted format. This means that even if someone gains access to your password database, they would not be able to read your passwords without the master password.
  • Automated Login: They can automatically fill in your login details for you. This not only makes using strong passwords more convenient but also helps avoid phishing attacks, as the password manager will only fill in details on recognized sites.
  • Encourages Unique Passwords: With a password manager, there’s no need to remember all your passwords, so you’re more likely to use a unique, strong password for each account. This reduces the risk if one of your accounts gets compromised.

The importance of unique passwords for each account cannot be overstated. If you reuse passwords across multiple accounts and one of those accounts gets compromised, then all your accounts that use that password are at risk. This is known as credential stuffing. Attackers who obtain a username-password pair from one breach will often try those same credentials on various other platforms and services to see if they work.

By using a unique password for each account, you ensure that even if one of your passwords is compromised, the damage is limited to that single account and doesn’t put your other accounts at risk. This is a critical aspect of maintaining online security in an era where data breaches have become relatively common.

Remember, even the strongest password can be compromised if it’s not kept secure. Always protect your password and be cautious about where and when you enter it.

How Can We Help?
Our team thrives on new challenges. If you have a project in mind or simply want to ask a question, we’d love to hear from you.
Lumitiv is your all-in-one IT department with over 15 years on the job. We help simplify and guide businesses through the technical landscape, turning complex tech into a powerful business asset.
Copyright 2023 Lumitiv
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram