Conventional wisdom has it that we should change our passwords at regular intervals – every 30 or 60 days or so.
But, this may be the wrong thing to do. Turns out that changing your passwords too often can actually compromise security. The culprit? Human nature.
How hackers exploit human nature
According to the Federal Trade Commission (FTC), users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.
When we change a password, we tend to make just a slight variation on the original one. Or, perhaps we’ll choose one that we’ve used elsewhere, or create a weaker one.
These predictable human tendencies can be exploited. Hackers can easily work out the new password if they have the old one.
Another window of opportunity for hackers is our tendency to write down passwords – especially if we’re forced to change them frequently.
Most of us suffer from password overload. We simply have too many to remember. Maybe you have a spreadsheet of all your passwords or post them under your keyboard? While you may be protecting yourself from external threats – what about the overnight cleaning crew?
So, how often should you change passwords?
None of this means that you should never change passwords.
In most cases, changing your passwords once every 12 months or so is enough. This assumes that you follow best practices at home and work when you do change passwords or create new ones:
- Your financial or banking password should be unique and not match any other password. When hackers get a password list they try them out on multiple sites. For example, a hacker will try your user name and password with every large financial institution in an attempt to access your accounts.
- For less important sites such as blogs, etc. it’s fine to use the same password if hackers would pose no risk to your reputation or wallet.
- Use long passwords. Requiring 14 characters or more makes it likely that your password will include symbols, letters and/or numbers.
- At the office, you should have a unique password for your network login, email and CRM.
- Enable account locking in response to bad login attempts.
Speaking of account locking
Some companies disable the account lock function because the IT department gets tired of unlocking accounts. Turn it back on.
Instead of locking accounts after just two or three bad attempts, however, set the maximum at 5-10 attempts. This will reduce the number of accidental lock outs, but still protect your network from “brute force” attacks where bots try out thousands of passwords to gain access.