Science and TechData Privacy and Cybersecurity

Actions

Changing Your Password Too Often Might Be Hurting Your Account Privacy

Patterns most humans use in changing their passwords could be leading to more predictable and easy-to-breach security.
Posted

Microsoft recently advised against longstanding, conventional cybersecurity logic on required password changes. It turns out forced switches made users select more predictable and easy-to-breach passwords.

"The pattern that humans use, particularly when they're not using a password manager, is they come up with, sort of, this rubric," said Pedro Canahuati, chief technology officer at 1Password. "If that's really very complex, it makes it difficult for people to gain access to it. But the reality is, humans are not good at randomness."

"The previous advice for people to rotate their passwords so frequently led to some really bad habits: people writing passwords down, only changing maybe the last digit," said Lisa Plaggemier, executive director of the National Cybersecurity Alliance.

"Changing that one character at the end of your password is not enough when you're up against a bot who's just cycling away at different passwords and switching out letters and numbers."

Humans are notoriously bad at passwords. NordPass' research of commonly used passwords across 50 countries in 2021 found the most popular were strings of letters or numbers, like 123456 and qwerty or words like password. Most could be cracked in less than one second.

Still, if you search online for advice on how often you should change passwords, you'll still find a lot of results saying you should change them routinely.

Newsy spoke to four cybersecurity experts about best rotation practices. While all noted that there are times when passwords should be changed — like when your data is implicated in a breach — there are other, more important security features that can be used to strengthen data protection.

"People just need to understand that passwords only go so far, and you need multifactor authentication," said Ed Skoudis, president of SANS Technology Institute. "Password management organizations also have an obligation to keep their users secure and safe."

"The simple solution at the end of the day is to use strong and unique passwords with a password manager because nobody can create them as strong as they can with the password manager," said Craig Lurey, chief technology officer at Keeper Security. "This is hundreds of engineers, solely focused on protecting passwords in an encrypted vault that's highly secure and protected from access, and all the years of implementation that went into that versus whatever you think you can do with your notepad."