I Am A Security Expert And I Do NOT Frequently Change My Passwords

I Am A Security Expert And I Do NOT Frequently Change My Passwords
October 31, 2016 Arne Defurne

Frequently changing your passwords is the enemy of your security. Over the past few years, organizations including the US National Institute of Standards and Technology and UK government agency CESG have also concluded that mandatory password changes are often ineffective or counterproductive. When people need to change their paswords most of them will use some kind of small change that is easily guessable. Attackers can often work out the new password, if they have an older version.

Only change your passwords when they are stolen.

If we want users to choose long, hard-to-guess passwords, we shouldn’t make them change those passwords regularly. The only time passwords should be reset is:

  • When they are forgotten
  • If they have been phished
  • If you get informed that a password database of a app or service that you use has been stolen. Stolen paswords database are often subjected to an offline brute-force attack.

Only the password length matters

Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain the most widely used form of authentication. Humans, however, have only a limited ability to memorize complex and long passwords, so they often choose passwords that can be easily guessed.

The NIST Special Publication 800-63-3 on Digital Authentication Guidelines, states that only the password length is really important. Password length has been found to be the primary factor in characterizing password strength. For defining a secure password people must remember that your passwords should ideally be longer than 12 to 14 characters. Users should be encouraged to make their passwords as long as they want. Short passwords are vulnerable to brute force attacks as well as to dictionary attacks.

Many online services have introduced rules in an effort to increase the complexity of passwords. These rules frustrate many users. Some websites require the user to choose secure passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveals that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.

Choose multi-factor authentication for important services

There are many password attacks that cannot be prevented with password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.

That is why people need to start adding a second factor that they carry around with them at all times. All evidence is pointing that this will become more and more our (smart) phone. Passwords are not protecting us properly anymore, it is time to choose multifactor authentication today. Read more here about how passwords are dead and it is time to choose multifactor authentication.