Ask Floh: Why you don’t need to change your password every 30 days
Do you really need to change your passwords every month?
Nope. This common “password security tip” has been debunked. In fact, frequent password changes can actually make things worse.
In this week’s Ask Floh, we learn why you should stop changing your passwords and make stronger ones instead.
We at Peerio believe in strong passwords. Our Peerio app uses computer generated passwords (account keys) because we need users to have strong passwords to generate strong cryptographic keys, and to ensure users are protected from any attempts to guess their account keys. To learn more, read: “How to build a billion dollar password.”
Hello and welcome back to Ask Floh, our series on cyber hygiene for the workplace.
So this next question comes from Mike in Washington. And he’s saying:
“My company makes me change my password every 30 days. Why do they make me do this, even if we haven’t been breached, or anything like that?”
So lots of things in this question. This is personally a pet peeve of mine, I have suffered under many a password change policy. They’re really annoying. And I generally think that things that are really annoying are pretty bad for security. Because one of the things that you want to do is make people be naturally drawn to best practices. So that’s the first thing I have to say, which is a bit meta, perhaps.
The second thing is a bit of an assumption embedded in the question, which is, Mike is saying, we haven’t been breached. And so that’s actually kind of a tricky thing. Because a lot of times, businesses or even individuals are breached, and they don’t even know it. So it’s actually good to have policies that sort of assume that you’ve been breached. So on that front, that’s something to always keep in mind.
That said, I think that the password reuse idea, which is that if you change your passwords, if your users change their passwords, then if passwords are breached, the attackers won’t be able to use the existing passwords that were leaked, or breached, or whatever, because they will have been changed by this policy.
That is actually pretty debunked. And there’s actually a really good paper on this that we will share. The reason, in brief, is that when people are forced to change their password, let’s say their password was sunshine, by the way is about password, not use it. If every month or whatever, they’re forced to change their password, what’s going to happen is that the next password is going to be sunshine one, and then sunshine two, and then sunshine three, you probably know that that’s true, because you’ve probably done it.
And so with this kind of systematic way of changing a password, it’s actually really easy for password cracking tools to adapt to. In fact, this is pretty much built into most of them trying some variations of something that they’ve already found, or variations of the same thing. So this actually does not work very well in practice even though the idea is maybe not a terrible one.
So in general, I would advise Mike to talk to your security director. Maybe show some research. And maybe try to push your company towards a policy that’s more about the quality of a password, which can be measured in a number of different ways. And there are many tools available for that. But one of the biggest things there is simply the length of the password. So that’s a much better idea and password change policies unfortunately, aren’t great and they also cause a great deal of frustration.
Alright, I hope that was helpful. See you next time.
Read more about passwords
You know what’s better than secure team communication? Nothing. Peerio gives you a super secure way to chat with your team, store and share files, all in one place. Every message and file stored and sent with Peerio is encrypted end-to-end by default. Learn more.