On Friday, popular tech news site Gizmodo published an article with the title: “Go Update Your Passwords Right Now”:
Hey, you, casual internet user. Why not go and update your passwords right now? I’m not trying to boss you around or anything, but semi-frequent password changes are widely considered a great way to avoid getting hacked and having your information spilled all over the web.
Well, I don’t agree with the advice from Gizmodo.
I think the time to change your password is if you believe there’s a good reason to change your password – for instance, if you think your password may have been breached, or if you believe you may have chosen a weak password or reused the same password in multiple places.
Check out the video I made four years ago on this very subject.
Enforcing or encouraging users to change their passwords can lead to people falling into the trap of choosing weaker passwords rather than strengthening their security.
Imagine, for instance, working at a company where you are asked to change your password on the first day of every month.
Workers could all too easily grow fatigued of conjuring up (and remembering) new passwords and find themselves choosing passwords like:
-
bananajan
bananafeb
bananamar
and so on…
No less an authority than NIST, the National Institute of Standards and Technology, has also advised against companies and services requiring users to change their passwords unless there’s a good reason:
Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.
When there are good reasons to change your passwords, you should definitely change them – and make them strong, hard-to-crack and unique. I recommend using a password manager to generate random passwords and to store them securely for you.
But if you don’t need to change your passwords, maybe you shouldn’t.
The UK NCSC guidance is great for how to define password policies and like NIST, also recommends not forcing password changes where possible https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
except the UK NCSC also prominently advise the public to store their passwords in their browsers.
This is more universally regarded as a terrible idea for a variety of reasons not least of which is that so many users are so careless about leaving access to their PCs and browsers open to others in which case so are their passwords.
(Windows access password or other access on a post-it on the monitor, browser not password secured…….)
Also if you simply allow a friend or someone else to use your PC without making them use a guest account (as most people will casually do) they this will also give them access to your passwords.)
In addition key-logging software or spyware is more likely to be able to access your password this way than through a secure password manager.
Beyond that many types of malware can access the browser and there are various software packages that can easily access the passwords in the browser for someone else. IMHO it's a daft idea.
see here:
https://www.ncsc.gov.uk/cyberaware/home
I contacted them to ask them how they could justify giving this awful advice to the public but they never bothered to reply.
Slight obverse to change/don't change PW: As Network & security Mgr for a certain large bank I was informed that some accounts (in a 24-hour section) had never logged out in several months – yet no-one worked more than usual shifts hours. Investigation showed group agreement on a shared password and login ID made life simple for the team when ever there was a change of staff/sickness/holidays, or even just breaks. All the usual RACF controls were also off for that Group so did not surface until we did a Bank-wide audit of account usage. Whether the Change password rule had – in the past – upset some senior manager or it was sheer incompetence by an earlier Network Mgr/staff was never determined but it showed us the nature of the problem we faced trying to raise security to even basic levels.