Dear Lifehacker, My company and some websites force me to regularly change my passwords, like every three months or so. How often do I need to change my passwords for all my other logins (if at all)? Signed, Stale Passwords
Lots of organisations require mandatory password changes, because it's long been considered a security "best practice". However, there are pros and cons to that rule, so before you decide if you need to regularly change your other passwords, let's take a look at the times when changing your password often makes sense -- and when it doesn't.
Why Companies Enforce Password Duration Policies
When you change your password every few months, it limits how long a stolen password is useful to a stealthy attacker -- how long he/she has access to your account. If someone steals your password and you don't know about it, the attacker could eavesdrop for an unlimited time and glean all sorts of information about you or do other damage. Photo by Rochelle Hartman
Therefore, for decades, many security guidelines have recommended frequent password changes, usually between 30 and 180 days. Windows Server has a default of 42 days.
However, in most cases, these might now be outdated policies or recommendations. At the very least, it's highly debatable that changing passwords frequently actually does increase security.
Why Changing Your Passwords Often May Be a Waste of Time
[image url="http://img.gawkerassets.com/img/187j08n84k9hmjpg/original.jpg" link="lightbox" small A Microsoft study a couple of years ago found that mandatory password changes cost billions in lost productivity -- for very little security payoff. Other computer security resources (Purdue University, Health Informatics and Life as a CIO blog, for example) point out that the "best practice" of frequently changing passwords does little to improve security but much to increase everyone's frustration. Users typically end up choosing variations on the same simple passwords (e.g. password3) or resorting to sticky notes taped to their laptops. In other words, in some cases password-changing requirements could actually increase risk. Photo by Mat Walker.
Security expert Bruce Schneier points out that in most cases today attackers won't be passive. If they get your bank account login, they won't wait two months hanging around, but will transfer the money out of your account right away. In the case of private networks, a hacker might be more stealthy and stick around eavesdropping, but he's less likely to continue to use your stolen password and will instead install backdoor access. Regular password changes won't do much for either of those cases. (Of course, in both instances, it's critical to change your password as soon as the security breach is found and the intruder blocked.)
In today's crazy hacker-friendly system, frequent password changes are less relevant than ever. The NIST says that password expiration policies are "irrelevant for mitigating cracking", because not only are hackers totally on to our clever password tricks, they've got more advanced hardware and software:
Generally, password expiration periods are not of much help in mitigating cracking because they have such a small effect on the amount of effort an attacker would need to expend, as compared to the effect of other password policy elements. Suppose that an organisation reduced its password expiration period from 60 days to 30 days. An attacker would simply need to use twice the hardware resources to compensate for this change.
Hackers have machines that can break 348 billion NTLM password hashes per second. (NTLM is a password encryption algorithm used in Windows. At 348 billion NTLM hashes per second, any eight-character password could be broken in 5.5 hours.)
So, really, changing all your passwords every 30 or 90 days isn't very worthwhile and isn't likely to increase your security. That's a good thing, because many of us would rather clean the toilet than change our passwords.
Accounts Which You Might Want to Change Your Passwords Regularly
As is usually the case, there are exceptions. For certain types of accounts, hackers may be more likely to "listen in" and silently stick around for months until they glean important information from you. Schneier points out that if your kid sister or the tabloid press (if you're a celebrity of some sort) has your Facebook password, for example, they'll likely listen until you change your password, which could be months or years if you never find out about it.
In general, this is Schneier's advice:
You don't need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you've shared a computer with, change them all.
I would add you might consider regularly changing passwords for communication-type sites that don't have two-factor authentication: email, especially, and things like IM or conferencing services. These are more snoop-friendly services where hackers might listen in for months before you find out. (On the other hand, you really should be using an email service with two-factor authentication, since it's a goldmine for hackers if they can get into it. It's probably the most important account for you to secure, along with your password manager and computer account.) Some services, including Gmail, Facebook and Dropbox, show you active sessions, so as a general security precaution, you can check those to make sure no one else is logging into your accounts.
Above All Else: Beef Up Your Security in General
It's much more important that you choose a unique password for all accounts -- one as long as possible -- and strengthen all your other security options (two-factor authentication, making your password recovery questions unguessable and backing everything up), because, in the end, strong passwords aren't enough -- no matter how often you change them.
If you have any weak or duplicate passwords anywhere, definitely change them as soon as possible. Also consider each regular security breach a reminder to audit and update not just your passwords, but your security setup in general -- if needed. After all of that, enjoy the peace of mind that you're doing the best you can -- and save yourself the hassle of changing all your passwords on a schedule.
Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.