Passwords have been the bane of user existence since the first non-IT-nerd user had to make up one. And as the technology field changes, so do the password requirements. For the person not keeping their finger on the pulse of the password security meta, what are the current best practices? When should you change passwords? Read this article to find out.
When should passwords be changed: short answer
Change your password:
- Once per year
- If it’s leaked via breach
- If you find malware on your device
- If you detect unauthorized access to your accounts
How often should you change your passwords?
There’s conflicting information online on how often you should change your passwords. Rather than relying on hearsay and keyword-stuffed essays that contradict themselves three times in two paragraphs, I asked the Surfshark Information Security officer.
Quoth the subject matter expert:
“Frequent password changing is overrated. It’s not a recommended practice. NIST [National Institute of Standards and Technology at US Department of Commerce] released their Digital Identity Guidelines 800-63-3, which state that increasing password complexity is better than simply changing it. That’s because frequent password changes encourage the user to reuse the same password by just changing a symbol or two. This does not present a significant challenge to hacking.
I’d say you should change your passwords once a year.”
And there you have it. You don’t need to change your passwords regularly. As long as the circumstances don’t require otherwise, there’s no need to change your password more often than once a year.
When should you change your password?
There are external circumstances that should compel you to change your password more than once every 365 days, all of them unpleasant.
You should change your password immediately if:
- Your login data appeared in a data breach: Collections of login credentials that hackers gained via website or service breaches appear all the time, so if your password is on one of those, you need to change it. To keep abreast of such cybersec discoveries, it’s best to employ a service like Surfshark Alert which will notify you if your credentials appear in a newly discovered breach.
- You have been phished: Phishing, in its many forms, is a scam where an appearance of legitimacy is used to trick you to give away your sensitive information. So if you’ve fallen victim to one, you should change your password immediately.
- You detected malware on your device: While ransomware is probably the hottest new malware trend, any malware has the potential to steal your login data – including passwords. Change all of them immediately upon detection.
- You shared your account with someone: We all want to share our accounts with our spouses, friends, and so on. But people don’t stay in relationships forever, and if one of them ends, so has the lifespan of the password. Don’t leave your accounts in the hands of former associates.
- You have a weak password: Just because your password isn’t on the Top 10 Worst Passwords list doesn’t mean that it’s not bad. Change it into something stronger that follows password creation guidelines.
- You have repeated a password: Using the same password on multiple websites/services/accounts may seem tempting, but it’s also a huge security risk. If one of those gets breached, all of them are imperiled. So if you have the same password on multiple sites, it should be changed immediately.
- You logged in at a public space: Whether it’s using a device you can’t verify the security of or an unsecured Wi-Fi network, you have put your passwords and accounts at risk. Change your passwords as soon as you have access to a safe device and a secure connection.
There sure are a lot of dangers from unsecured communications out there, so make sure to always have good, secure passwords. But those are not just empty words; we also have advice on the subject!
How to create a good password (and other security tips)
There’s more to crafting a good password than just not using 12345678 for it. Luckily for you, the tips for it are easy and plentiful.
- Use a password manager – I’m starting out with this one so that you wouldn’t be intimidated by the following steps; if you have a password manager, you’ll only ever need to remember ONE password – the one for the manager. For more information on the subject, we have an article on how safe are password managers.
- A good password is 12 symbols long at least – Security experts almost agree on that one; some advise going up to 14 characters.
- Mix symbols, numbers, upper- and lowercase letters – So, you know, something like sOP3&(2aU398. Do not use that example as a password.
- Do not use words or combinations of words – A dictionary attack is a brute force attack where the hacker uses a computer to run a dictionary until it guesses the password. So a single word is bad, a combo of words is less-but-still-bad, and an obvious combo is back to bad.
- Avoid obvious substitutions – If you’re hell-bent on not listening to us and still use a word, don’t make obvious letter-to-number substitutions. “Fatal1ty” isn’t going to trick hackers for long.
- Use international UTF-8/UTF-16 letters – If you’re not an English speaker, try to pepper some of your native language with that special keyboard you downloaded. At least a single Ą or Č will improve password complexity a lot.
- Use multi-factor authentication – You’ve probably already heard of 2FA – two-factor authentication – and with good reason. If you’re only protected by your password, the hackers only need to steal that. But if you have to log in with a password and then verify the login on your phone, then the hackers have to gain access to your phone as well, which is much harder to accomplish. So use 2FA!
Now, your password might look scary at this point, but remember: it’s the only one you have to remember. For all the other times, the password manager will take care of it for you, either memorizing all other passwords you come up with or even autogenerating ones.
Keep your passwords safe
Making sure your passwords are secure is a great treat you can give yourself. With data breaches happening left and right, and phishing rampant, it pays off to invest in your security. So get a password manager now… and then consider getting Surfshark Alert to get warned if your passwords get leaked.