Instead Of Changing Your Passwords, Upgrade Them

Screenshot: David Murphy

What makes for a great password? Something long, something randomised with all kinds of characters—numbers, symbols, and letters of all cases - and, ideally, something backed up by a secondary authentication method. In other words, the easier it is for you to remember your password, the easier it is for someone else to crack it (generally speaking).

While this should be common sense for anyone who has ever had to create a password, and there are plenty of tools you can use to generate, store, and recall, great passwords, there’s one little caveat to this process that you might not have thought about much. How often should you change your password?

You’ve probably experienced this at work more than anything else - some annoying notification or email letting you know that it’s time (once again) to change your password. This can be a cumbersome process, especially if you have to go and update your password across multiple apps and devices.

As it turns out, this entire process is pretty unnecessary. As long as you have a strong password to begin with, its existence doesn’t make it less strong.

In a blog post detailing why Microsoft dropped password-expiration policies from its baseline security settings for Windows 10 and Windows Server 2019, Microsoft “Windows nerd” and security expert Aaron Margosis wrote:

“Periodic password expiration is a defence only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorised entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time?

Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you...

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organisations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines."

I’m an avid 1Password user and I appreciate how the app goes to great lengths to let you know when passwords you’re using might be unsafe or otherwise compromised. What it doesn’t do, in line with Microsoft’s suggestions, is give you any grief because the password you’re using is x days old (or x years old).

Screenshot: David Murphy

That said, there is one valuable reason for changing your passwords, whether that’s a forced process or one you decide to do yourself. If you’re the kind of person who doesn’t check to see if the passwords you use have been compromised, coming up with new passwords on a regular basis is at least a good catch-all for dealing with weaker ones that might be out in the open.

To that, I offer an alternative suggestion: Instead of changing your passwords according to an arbitrary schedule, you should upgrade your passwords. If you’re a perfect password creator, you probably don’t need this step.

But if you’re normal, like me, and you sometimes use weaker passwords for new services you’re trying out because you don’t want to be bothered pulling up your password manager and summoning a 22-character monstrosity, you should schedule time to check and upgrade your lamer passwords to more secure ones.

It’s super-easy to do this if you’re using a password manager, because you can then just scan down your list of saved passwords and start updating anything that’s out of the ordinary: “cat12345,” as opposed to “1Jf*@4,[email protected]!04#*5vka*4&5%.” Though, you should also already have a pretty a good idea whether you’re using weak passwords for your favourite apps and services - which is probably even more likely if you aren’t using any password manager at all.

This will be a tedious process if you have a ton of weak passwords, but you can always think strategically. Start with the accounts you use most frequently and work your way down from there. (Again, a password-management app will make this process easy, and a great one will be able to tell you when it sees that you’re using a weaker password for a service.)

And, of course, even the greatest password benefits from a boost: Use multi-factor authentication wherever possible, and your accounts will be that much more secure.

Then print this article - or Microsoft’s blog post - and take it over to your IT team when you’re forced change your password for eighth time this year.