Security is at the top of the agenda at the moment and we’re all doing all that we can to ensure that the security of our businesses and our identity is maintained.
The biggest threat to IT security are weak passwords. We all know this, and therefore we put measures in place to ensure users conform.
An integral part of an enterprise password policy (and password management best practice) has always been to enforce a password change at regular intervals.
The logic is that if you change your password frequently, anyone who gains unauthorised access to your account won’t be able to do so for long.
However, I’m not sure that regular password changes actually increases security.
Typically, attackers won’t hold onto your password for an extended period of time and snoop on you. That’s not profitable. They’ll take action as soon as they have access to an account.
Regular password changes results in weaker passwords
Changing your password regularly makes it more difficult to remember good passwords. Rather than create a strong password and remember it, you must attempt to remember a new password every few months.
Often this will result in weaker passwords or the password being written down and ‘hidden’ under the keyboard. Worse still, on a sticky note on the computer screen for everybody in the office to see.
Also, people generally don’t change their password much when they expire. Instead, they “transform” them just enough to get past the security protocols e.g. “Name1 to “Name2”
It’s already almost impossible to choose a strong, unique password for every account that you have; and remember them. If you change your password every few months, you are likely to end up using weaker passwords or reusing them across multiple accounts; increasing the risk of a security breach.
Changing your password is a good idea … sometimes
When you become aware that your password has been compromised, or if you have shared your password with a friend or colleague; you should change your password right away.
Password changes in response to specific events are a good thing. If an account in your office has become compromised, it’s worth considering a password change for everybody.
If you use the same password elsewhere, and that service is compromised, it’s possible that your password is leaked too. Rather than change that single password regularly, you should deal with the real problem here and use unique passwords everywhere.
What you should be doing
My advice is to follow best practices with password management and to set hard to crack passwords to begin with. It’s much more important to use strong, unique passwords everywhere than to change your password regularly.