It’s been a big holiday weekend in the United States, with some folks going crazy ape bonkers over the retail bargains available.
And today is Cyber Monday when online retailers tend to jump on the bandwagon too.
So, it was good to hear that the FBI was going to offer some timely advice for online shoppers over the holiday season.
What was disappointing, however, was the advice they offered when they tweeted this:
Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently. #cyber #blackfriday
I like the advice to use strong passwords (although mentioning that they should also be *unique* passwords that you aren’t using anywhere else would have been helpful).
What I don’t like is the advice that shoppers should change their passwords regularly.
As we have discussed before, regularly changing passwords (unless there’s a good reason to believe that passwords need to be changed – such as having a weak password, password reuse or a breach) can lead to folks making poor password choices that actually reduce security rather than increase it.
You can find out more in this video I made earlier this year:
If you find passwords a burden – consider using password management software like Bitwarden, 1Password, and KeePass to make them safer and easier to remember.
An interesting dynamic is that Password Managers – such as Lastpass – tell you to change your password – even if it's lovely and strong and unique. If you use Lastpass's Security Challenge feature, they bring up an advisory for sites with the text " Regularly updating your passwords is key to good security…"
I unfollow this blog due to the crap here. Password change cannot harm.
It has been empirically proven that forced password changes on frequent schedules result in the harm of weaker, shorter passwords.
Being advised to change your passwords frequently isn't quite the same as forced password changes, but if someone takes that advice seriously, it effectively becomes a forced password change.
There is also the issue of personal values changing the definition of abstract words. "Frequently" is not an adequate adverb. It's too general to be useful in a semi-official advisory. Frankly, this looks like a lazy copy-and-paste from an old employee handbook.
The problem with not changing passwords "unless there's a good reason to believe that passwords need to be changed – such as having a weak password, password reuse or a breach" is that you may not hear about a breach until many months or years later. Saying it's not a good practice to regularly change passwords is poor advice. As long as strong passwords are used, changing them does ZERO harm.