Ever since the Heartbleed bug, a reinstated rule-of-thumb for the online community has been, “Change your passwords regularly.” It’s become proverbial for anyone who follows cyber policy; for decades, security guidelines have recommended frequent password changes, commonly between 30 and 180 days.
However, in recent months, it’s become highly questionable if frequently updating your password actually does increase security.
A Microsoft study found that compulsory password changes do little to improve student security, yet do much to increase frustration.
The library is brimming with the cacophony of angry keyboard typing, as students try to cipher what their newly changed password is. Though their guesswork doesn’t take long, seeing as many users have a tendency to alter their previous, simple passwords with slight variations (e.g., password 3).
“I hate password changes,” sophomore Rachael Garrison said. “I had to write my new Puget Sound password on a sticky note on my laptop.”
It’s easy to recognize how our password regime may not be as secure as one might think. In this scenario, password-changing requirements could actually increase risk.
In the case of private networks—campus access for instance—hackers are less likely to use your password than they are to install backdoor access. Backdoor access (regrettably not a euphemism) is a means of access to a computer program that bypasses security mechanisms. With this consideration, habitual password changes won’t protect your account.
The National Institute of Standards and Technology (NIST) claims that password expiration rules, the process of forcing a user to select a new password after a certain time, are “not of much help in mitigating cracking because they have such a small effect on the amount of effort an attacker would need to expend.” Not only are hackers generally aware of password expiration routines, but they are also in possession of advanced software that allows them to use an encryption algorithm that can cipher any eight-character password, no matter how many times it’s changed.
Be that as it may, there are exceptions. For certain accounts, hackers are more inclined to “listen in” and furtively stick around for a period of time until they acquire important information about you. Students might consider regularly changing passwords for social networking sites that may not have two-factor authentication. This may include email, IM, or conference services.
Rather than cycle through varying, yet similar, passwords, it would be better to choose a unique (perhaps even extraordinary, unprecedented—come across as psychotic) password for all accounts—one as long as possible. Strengthen all of your security options (such as two-factor authentication, creating unguessable password recovery questions, and backing everything up). Because, ultimately, strong passwords won’t be enough—no matter how often you change them.
If you have any weak or corresponding passwords, it would be wise to change them as soon as you can. Also, regard any security breach as a reminder to investigate and update not only your passwords, but your security setup in general—if needed. After this, come to terms with the fact that you’ve done the best you can—and save yourself the bother of having to consult the calendar when switching passwords.