Skip to main content
How Often Should You Change Your Password?

Are frequent password changes the key to managing password security? The CEO of Spycloud, Tim Ross, surprised his audience at a recent conference when he said that frequency of password changes did not matter that much.

He explained that the way most people change passwords contributed to password security problems, no matter how often they changed them. Thus, even periodic forced password changes could not ensure protection. He believed that weak passwords made people vulnerable, even if they changed their password every day.

Here at RedTeam, our cybersecurity experts agree with his assessment. Using complex, long passwords, and the right tools, like a password manager and two-factor authentication, will provide you with much more robust password security than simply changing passwords on a frequent schedule. Take a moment to understand our reasoning in order to protect your computer systems and online accounts against a data breach, malware, and other threats.

Why is a Password Manager Better Than Frequent Password Changes?

While almost everybody knows they should pick a strong password that's tough to guess, most folks make some serious mistakes. First, they really don't choose a new password but some slight variation of a fairly simple one they've used before or even the exact same one they've used before for another system. Since so many passwords have already been leaked, it may not take a sophisticated cybercriminal long at all to guess the changed password

What Causes Most Password Breaches?

To understand the best suggestions for ensuring password security, it helps to learn why most password breaches happen in the first place. As CSO Magazine pointed out, hackers have already stolen millions upon millions of passwords. Even worse, they have widely distributed them through sales on illegal markets on the dark web. That means that one stolen password could end up in dozens of illicit places.

Even if people change their passwords regularly, they tend to either use similar variations or the same ones multiple times. To back this up, CSO Magazine also cited a recent study from Verizon that found over 80 percent of password breaches stemmed from two sources:

  • Stolen, Leaked Passwords
  • Weak Passwords, Like p@ssword

Some sites use security questions for additional verification. Security experts say that even this extra layer won't do a lot of good because it's so easy to find answers to questions like a mother's maiden name or a favorite pet's name on the internet, especially with all of the personal information published on social media.

Thus, even adding extra security questions to frequent password changes won't really provide robust protection. Better solutions include using complex, strong passwords, two-factor authentication, and avoiding the use of compromised credentials. Take a look at these suggestions in the following sections.

Cybersecurity Pro Tips for a Strong, New Password

  • While the old standard for a strong password used to be 12 characters, security expects now suggest a minimum of 16 characters or even longer, if allowed. While password complexity helps, so does length. Hackers have tools that let them find short combinations of characters within seconds, but as the length of the string increases, it exponentially also increases the time it takes to guess passwords.
  • It's better to let the computer generate a truly random, complex password that thieves won't have an easy time guessing. If a long password includes a name and birthday, it's still very easy for a determined cybercriminal to guess. Stronger passwords contain random strings of letters, numbers, and special characters.
  • Use unique passwords that have not been used before on any system and are not words, birthdays, or any other recognizable pattern. Again, a cybercriminal may have access to previous passwords and some personal information, like birthdays or parent's names.
  • Use different passwords for social media, email, online banking, work systems, and so on. Using unique passwords helps reduce vulnerability to multiple breaches, even if thieves manage to obtain one password.

Using a Password Manager to Manage Multiple, Complex Passwords

It's easy to understand the main objection to creating multiple, complex passwords for every online account and computer system. According to Ross, average people end up creating as many as 200 passwords. They'll be impossible to remember and writing them down on a sticky note isn't a secure, reliable way to manage them. That alone explains why most people tend to reuse simple passwords.

A password manager, like Lastpass, provides an ideal solution. Not only does it provide a secure vault for all credentials, it can also generate the kind of complex, random strings needed to defeat hackers. Since the password manager generates and remembers all of the different passwords, a user only needs to keep track of the one password that they use to access their Lastpass account.

Additional Benefits of Password Managers

Good password management and security systems can provide some additional benefits too.

See a Couple Examples:

  • Lastpass automatically monitors darkweb sites and sends alerts if they find one of their members has had their information compromised. That way, the member knows for sure that it's time to change their credentials.
  • For another example, Spycloud checks to make sure any passwords entered into its system haven't already been distributed by illegal vendors. These extra features can provide even more protection against unauthorized access.

How Two-Factor Authentication Makes Password Managers Even More Secure

Also called multi-factor authentication or 2FA, two-factor authentication adds an additional barrier to thwart even the most determined cybercriminal. In short, two-factor authentication refers to systems that require users to supply two forms of credentials in order to login. In this case, the credentials are called factors.

In general, multi-factor authentication works like this:

  • Typically, 2FA relies upon a traditional login and password, just like most people already use.
  • As the second factor, most of these systems will also send a PIN code to the user's cell phone. Some sensitive, commercial systems may also use their own dedicated devices or even biometrics as their second credential.
  • After entering an ID and password, the system will also prompt the user to enter their pin code. It will grant access only after it accepts both credentials.

With a password manager, the most vulnerable thing might be the master password for the account. While users can let the computer generate a robust password, that's one thing that the vault doesn't manage.

With Lastpass and similar password managers, users can use 2FA in addition to creating a password. This helps keep the user's account more secure. Not only will they need to supply their user ID and password, they will also need to retrieve a PIN code from their phone.

Of course, people should also consider enabling 2FA on social media, email accounts, Netflix, online banking, and any other systems that they use and add personal or financial information to. Even if a thief manages to steal a device and the passwords, they would need access to the second device to breach the system.

What's the Key to Strong Password Security?

In summary, neither frequent password changes nor even extra security questions can really ensure robust security. Digital thieves have access to millions of stolen credentials and the entire internet to search for personal information. They also employ tools that can help them crack short, simple passwords within seconds. The best strategy includes:

  • Complex, long passwords
  • Password managers to store login credentials and provide other security features
  • Multi-factor authentication to provide an additional layer of protection

How to Ensure Business Security

Developing strong passwords only represents one aspect of protecting valuable business information. Criminals may also attempt to steal business assets with social engineering, phishing, or even on-premises attacks.

Typical businesses can't possibly anticipate all of the methods that digital criminals might use to steal valuable information and other assets. That's why prudent organizations call upon us for penetration testing. For a free consultation with our security experts, call 952-836-2770 or schedule a time online. Here at RedTeam Security, our HIPAA penetration testing will uncover security issues and offer the best solutions to fix them.

Get a FREE security evaluation today and reduce your organization's security risk.
Schedule My Call Schedule My Call
Contact Us