Ask LH: How Often Should I Change My Passwords?
Dear Lifehacker, My company and some websites force me to regularly change my passwords, like every three months or so. How often do I need to change my passwords for all my other logins (if at all)? Signed, Stale Passwords
Lots of organisations require mandatory password changes, because it’s long been considered a security “best practice”. However, there are pros and cons to that rule, so before you decide if you need to regularly change your other passwords, let’s take a look at the times when changing your password often makes sense — and when it doesn’t.
Why Companies Enforce Password Duration Policies
When you change your password every few months, it limits how long a stolen password is useful to a stealthy attacker — how long he/she has access to your account. If someone steals your password and you don’t know about it, the attacker could eavesdrop for an unlimited time and glean all sorts of information about you or do other damage. Photo by Rochelle Hartman
Therefore, for decades, many security guidelines have recommended frequent password changes, usually between 30 and 180 days. Windows Server has a default of 42 days.
However, in most cases, these might now be outdated policies or recommendations. At the very least, it’s highly debatable that changing passwords frequently actually does increase security.
Why Changing Your Passwords Often May Be a Waste of Time
Generally, password expiration periods are not of much help in mitigating cracking because they have such a small effect on the amount of effort an attacker would need to expend, as compared to the effect of other password policy elements. Suppose that an organisation reduced its password expiration period from 60 days to 30 days. An attacker would simply need to use twice the hardware resources to compensate for this change.
Hackers have machines that can break 348 billion NTLM password hashes per second. (NTLM is a password encryption algorithm used in Windows. At 348 billion NTLM hashes per second, any eight-character password could be broken in 5.5 hours.)
So, really, changing all your passwords every 30 or 90 days isn’t very worthwhile and isn’t likely to increase your security. That’s a good thing, because many of us would rather clean the toilet than change our passwords.
Accounts Which You Might Want to Change Your Passwords Regularly
As is usually the case, there are exceptions. For certain types of accounts, hackers may be more likely to “listen in” and silently stick around for months until they glean important information from you. Schneier points out that if your kid sister or the tabloid press (if you’re a celebrity of some sort) has your Facebook password, for example, they’ll likely listen until you change your password, which could be months or years if you never find out about it.
In general, this is Schneier’s advice:
You don’t need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you’ve shared a computer with, change them all.
I would add you might consider regularly changing passwords for communication-type sites that don’t have two-factor authentication: email, especially, and things like IM or conferencing services. These are more snoop-friendly services where hackers might listen in for months before you find out. (On the other hand, you really should be using an email service with two-factor authentication, since it’s a goldmine for hackers if they can get into it. It’s probably the most important account for you to secure, along with your password manager and computer account.) Some services, including Gmail, Facebook and Dropbox, show you active sessions, so as a general security precaution, you can check those to make sure no one else is logging into your accounts.
Above All Else: Beef Up Your Security in General
It’s much more important that you choose a unique password for all accounts — one as long as possible — and strengthen all your other security options (two-factor authentication, making your password recovery questions unguessable and backing everything up), because, in the end, strong passwords aren’t enough — no matter how often you change them.
If you have any weak or duplicate passwords anywhere, definitely change them as soon as possible. Also consider each regular security breach a reminder to audit and update not just your passwords, but your security setup in general — if needed. After all of that, enjoy the peace of mind that you’re doing the best you can — and save yourself the hassle of changing all your passwords on a schedule.
Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.