On Friday, popular tech news site Gizmodo published an article with the title: “Go Update Your Passwords Right Now”:
Hey, you, casual internet user. Why not go and update your passwords right now? I’m not trying to boss you around or anything, but semi-frequent password changes are widely considered a great way to avoid getting hacked and having your information spilled all over the web.
Well, I don’t agree with the advice from Gizmodo.
I think the time to change your password is if you believe there’s a good reason to change your password – for instance, if you think your password may have been breached, or if you believe you may have chosen a weak password or reused the same password in multiple places.
Check out the video I made four years ago on this very subject.
Enforcing or encouraging users to change their passwords can lead to people falling into the trap of choosing weaker passwords rather than strengthening their security.
Imagine, for instance, working at a company where you are asked to change your password on the first day of every month.
Workers could all too easily grow fatigued of conjuring up (and remembering) new passwords and find themselves choosing passwords like:
and so on…
No less an authority than NIST, the National Institute of Standards and Technology, has also advised against companies and services requiring users to change their passwords unless there’s a good reason:
Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.
When there are good reasons to change your passwords, you should definitely change them – and make them strong, hard-to-crack and unique. I recommend using a password manager to generate random passwords and to store them securely for you.
But if you don’t need to change your passwords, maybe you shouldn’t.