PG Logo
  • Business Insider
  • Gizmodo
  • Kotaku
  • OpenAir Cinemas
  • Pedestrian.TV
Logo Level Up Your Life
Subscribe
  • Life
    • Money
    • Home
    • Entertainment
    • Travel
    • Health
    • Design
    • View All Life
  • Work
    • Productivity
    • Communicate
    • Organise
    • Career
    • Business Travel
    • Security
    • Small Business & Startups
    • View All Work
  • Deals
  • Coupons
  • Makes Cents
  • Life
    • Money
    • Home
    • Entertainment
    • Travel
    • Health
    • Design
    • View All Life
  • Work
    • Productivity
    • Communicate
    • Organise
    • Career
    • Business Travel
    • Security
    • Small Business & Startups
    • View All Work
  • Deals
  • Coupons
  • Makes Cents

Want Lifehacker's email newsletter?

Follow us, subscribe and get in touch

  • Contact Lifehacker Australia
  • Facebook
  • Twitter
  • Instagram
  • Youtube
  • Linkedin
  • RSS

Recent Posts

How to Improve Your Hand Dexterity (and Why It’s Important)
Photo: Robilad Co, Shutterstock
How to Improve Your Hand Dexterity (and Why It’s Important)
How to Get the Most Out of Therapy, According to a Psychologist
iStock
How to Get the Most Out of Therapy, According to a...
13 Last-Minute Father’s Day Gifts That’ll Catapult You to Golden Child Status
Image: eBay
13 Last-Minute Father’s Day Gifts That’ll Catapult You to Golden Child...
House of the Dragon Brings Back the Good Days of Game of Thrones
Image: Binge/HBO
House of the Dragon Brings Back the Good Days of Game...
How to Apologise So People Actually Forgive You
iStock
How to Apologise So People Actually Forgive You

Deals

13 Last-Minute Father’s Day Gifts That’ll Catapult You to Golden Child Status
Image: eBay

13 Last-Minute Father’s Day Gifts That’ll Catapult You to Golden Child Status

The Nintendo Switch OLED Is Currently on Sale for One of Its Lowest Ever Prices
Image: Nintendo
The Nintendo Switch OLED Is Currently on Sale for One of...
A Running List of the Best Afterpay Day Sales
Image: Glue Store Instagram / KitchenAid
A Running List of the Best Afterpay Day Sales
Afterpay Day 2022: Don’t Let These Dyson Deals Bite the Dust
Image: Dyson
Afterpay Day 2022: Don’t Let These Dyson Deals Bite the Dust
Score Some Solid Beauty Sleep With 30% Off Everything at Koala Right Now
Image: Koala
Score Some Solid Beauty Sleep With 30% Off Everything at Koala...

Sponsored Articles

Instead Of Changing Your Passwords, Upgrade Them

Share

David Murphy

Published 3 years ago: July 9, 2019 at 6:00 pm -
Filed to:account
passwordsafety
Instead Of Changing Your Passwords, Upgrade Them
Screenshot: David Murphy

What makes for a great password? Something long, something randomised with all kinds of characters—numbers, symbols, and letters of all cases – and, ideally, something backed up by a secondary authentication method. In other words, the easier it is for you to remember your password, the easier it is for someone else to crack it (generally speaking).

While this should be common sense for anyone who has ever had to create a password, and there are plenty of tools you can use to generate, store, and recall, great passwords, there’s one little caveat to this process that you might not have thought about much. How often should you change your password?

You’ve probably experienced this at work more than anything else – some annoying notification or email letting you know that it’s time (once again) to change your password. This can be a cumbersome process, especially if you have to go and update your password across multiple apps and devices.

As it turns out, this entire process is pretty unnecessary. As long as you have a strong password to begin with, its existence doesn’t make it less strong.

In a blog post detailing why Microsoft dropped password-expiration policies from its baseline security settings for Windows 10 and Windows Server 2019, Microsoft “Windows nerd” and security expert Aaron Margosis wrote:

“Periodic password expiration is a defence only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorised entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time?

Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you…

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organisations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.”

I’m an avid 1Password user and I appreciate how the app goes to great lengths to let you know when passwords you’re using might be unsafe or otherwise compromised. What it doesn’t do, in line with Microsoft’s suggestions, is give you any grief because the password you’re using is x days old (or x years old).

ImageScreenshot: David Murphy

That said, there is one valuable reason for changing your passwords, whether that’s a forced process or one you decide to do yourself. If you’re the kind of person who doesn’t check to see if the passwords you use have been compromised, coming up with new passwords on a regular basis is at least a good catch-all for dealing with weaker ones that might be out in the open.

To that, I offer an alternative suggestion: Instead of changing your passwords according to an arbitrary schedule, you should upgrade your passwords. If you’re a perfect password creator, you probably don’t need this step.

But if you’re normal, like me, and you sometimes use weaker passwords for new services you’re trying out because you don’t want to be bothered pulling up your password manager and summoning a 22-character monstrosity, you should schedule time to check and upgrade your lamer passwords to more secure ones.

It’s super-easy to do this if you’re using a password manager, because you can then just scan down your list of saved passwords and start updating anything that’s out of the ordinary: “cat12345,” as opposed to “1Jf*@4,[email protected]!04#*5vka*4&5%.” Though, you should also already have a pretty a good idea whether you’re using weak passwords for your favourite apps and services – which is probably even more likely if you aren’t using any password manager at all.

This will be a tedious process if you have a ton of weak passwords, but you can always think strategically. Start with the accounts you use most frequently and work your way down from there. (Again, a password-management app will make this process easy, and a great one will be able to tell you when it sees that you’re using a weaker password for a service.)

And, of course, even the greatest password benefits from a boost: Use multi-factor authentication wherever possible, and your accounts will be that much more secure.

Then print this article – or Microsoft’s blog post – and take it over to your IT team when you’re forced change your password for eighth time this year.

More From Lifehacker Australia

  • What to Do if Your Password Is Exposed in a Data Breach
  • How to Use Your Android Phone’s Built-In Password Manager
  • How to Delete Your Autofill Passwords in Chrome (and Move to Something More Secure)
  • All the New Privacy Settings Google Announced at I/O 2021
Share this Story
Get our Newsletter Subscribe

Log in to comment on this story!

Log in
There are no more articles to be viewed

© 2007 - 2022 Pedestrian Group

  • About
  • Advertise
  • Contact
  • Privacy Policy
  • Terms of Use

Log in to Lifehacker to:

  • Comment on stories

By logging in, you can access these features throughout our network.

Haven't registered? Sign up here
Lost your password? Click here to reset

Back to Login? Click here

Email newsletters will contain a brief summary of our top stories, plus details of competitions and reader events.

Back to Login? Click here

Subscribe to our newsletter!

Now you can get the top stories from Lifehacker delivered to your inbox. Enter your email below.

By subscribing you agree to our Terms of Use and Privacy Policy.