How Often Should You Change Your Passwords?

What's Hot

23 Upgrades Under $50 to Make Your House Look AwesomeAround The House

Trump Worth $10 Billion Less Than If He’d Simply Invested in Index FundsBusiness

Do This or Your iPhone Bill May SkyrocketSave

11 Places in the World Where You Can Afford to Retire in StyleMore

19 Moves That Will Help You Retire Early and in StyleFamily

What You Need to Know for 2017 Obamacare EnrollmentFamily

8 Things Rich People Buy That Make Them Look DumbAround The House

50 Ways to Make a Fast $50 (or Lots More)Grow

32 of the Highest-Paid American SpeakersMake

The 35 Two-Year Colleges That Produce the Highest EarnersCollege

5 DIY Ways to Make Your Car Smell GreatCars

Amazon Prime No Longer Pledges Free 2-Day Shipping on All ItemsMore

More Caffeine Means Less Dementia for WomenFamily

7 Household Hacks That Save You CashAround The House

5 Reasons a Roth IRA Should Be Part of Your Retirement PlanGrow

30 Awesome Things to Do in RetirementCollege

Beware These 10 Retail Sales Tricks That Get You to Spend MoreMore

9 Tips to Ensure You’ll Have Enough to RetireFamily

You'll be surprised by what the security experts recommend.

This post comes from Bob Sullivan at partner site

How often should you change your passwords? Sounds like it should be a pretty easy question, right? After all, it gets right to the heart of most security issues that people face. Turns out, it’s a really hard question to answer.

And that’s a problem, because as I spend more time giving talks about computer security with people in various settings, I have come to know that “How often?” is by far the most common question people have.

I might offer a stirring, funny, informative — OK, adequate — 45-minute discussion about the major security and privacy issues of our day. I might touch on Snowden, Target, retina scans, social engineering, social media, your mother’s maiden name, but it doesn’t matter. Inevitably, one of the first two or three questions is: “How often do you, or should I, change a password?”

Recently, I’ve thought a lot about better ways to answer that question. I have a few, and I want to hear your answers. But before I get to that, I thought I’d find some better people to answer the question. I did a quick, informal survey of the best in the information security business, and here’s what they said to me. You’ll find plenty of nuggets of wisdom here, and more than a few surprises.

Graham Cluley, independent computer security analyst, formerly of Sophos and McAfee

I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. I think requiring people to regularly change their password is a bad idea. It encourages poor password choices, (such as) … passwordjan, passwordfeb, etc.

Mikko Hypponen, chief research officer, F-Secure


For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never. As always, it’s about threat modeling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites, who cares?

James Lyne, global head of security research at Sophos, speaking specifically about corporate passwords

The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014, there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password “representations” require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.

There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory, ironically this can lead to staff producing poor passwords to meet the requirement, which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defense. Good luck to the cybercriminal going after a 128-character password stored as a (moderately poor) SHA1 hash.

Password managers help you generate long and complex passwords that will be hard to crack even if lost. That said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly). Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30-day rotation period.

Harri Hursti, independent security researcher, famous for the “Hursi Hack” of voting machines

Check Out Our Hottest Deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 1,640 more deals!