Why change your password(s) regularly?

Topic

New Reply

Every password management article I’ve read advises you to change your password(s) regularly. Why? The only scenario I can see where this is of any value is one in which your password(s) have been exposed. Absent exposure, if you’re using strong, complex passwords, the only way they’ll become compromised is via a determined and successful decryption attack, which, using generally available technology, could take eons. If the attacker is in the middle of a long run, the next password to try could well be your current password, but if you change it, you can’t be sure that a subsequent try won’t be your new, changed password. And if you’ve got a LOT of strong, complex passwords, changing them all could take days. In fact, I have password-protected accounts on some sites where there is no obvious way to change a password or to delete the account altogether. Seems like the cost/benefit ratio here is unreasonably high.

But if I had had a password-protected Target account recently, I would certainly change that password, but that wouldn’t encourage me to change all my other passwords.

I do worry about my Roboform master password being compromised, thus exposing my 800+ strong, complex, managed passwords. But it’s fairly easy to keep track of that password and change IT if there’s any hint of it having been exposed. But just changing it now and then, while practical, seems of little value.

What am I missing here?

Reply | Quote

Replies

I agree. If you are using strong passwords in the first place there is no benefit in changing them regularly. There is more chance of a poorly designed web site leaking your password and data than a strong password being compromised. The only exception I can see is your banking password if you happen to be particularly paranoid.

cheers, Paul

Reply | Quote

The best that can be said for the insistence of enterprise auditors that passwords must be changed every 90 days is that it discourages users from sharing passwords.

But it comes with a huge cost of decreasing complexity of passwords used and/or in wasted time when those passwords are frequently forgotten and need to be reset.

Bruce

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

But the auditors insisted……. 🙂

cheers, Paul

Reply | Quote

If people have to change their passwords so frequently, won’t they just change one character at the end? My work password was e.g. passworda, then passwordb and so on. It didn’t take long to find the password if I forgot it (say after some leave).

What I found slightly bemusing, when they introduced a password manager, we weren’t allowed to keep system passwords in it – but they tended to be so random they would be written down (or put in a spreadsheet called – passwords.xls :o). And the system passwords were never changed…..

Eliminate spare time: start programming PowerShell

Reply | Quote

@BruceR, access-mdb, re frequent password change and its unintended consequence, I agree totally.
Hey, our door is totally exposed to all elements too.

Soon we’ll run out of ideas on memorable passwords. Soon we’ll have yellow stickers back on monitors. Soon the future 30% senior population would break down the tech support systems.
Soon we’ll run out of ‘mothers’ maiden names’, ‘Birth city names’, and our brothers’ names are John, Paul, George, Ringo, …

Soon, the hack with it, we’ll have mechanical key and key hole in our laptop, tablet, cell phone, and yes, Google glass and Google watch. Maybe hearing aids too.
And very soon, the key is as big as our present car keys. Soon the pocket of our pants has holes. Soon, the 5-lb key chain activates airport detector system endlessly. Soon we’ll be restricted to 3-oz (!) key chain in airport.

And very soon, bio-key equipped device owners would lose their eyes and fingers to robbers …
Maybe we’ll then start using our toes …

Reply | Quote

I had not thought of the point that changing passwords regularly would discourage sharing but it would also be a valid critique that that when passwords are changed often one is more likely to forget and need to borrow, catch 22.

I have always felt a mandated password change (like I have @ work) is counter productive. I have a long nonsense phrase that gets a regular modefication when needed.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote