There was a time that whenever I wrote something related to security passwords, I’d use these words: “Use password managers, as they make it very easy to change passwords, which you should do frequently.” Because that’s the advice everyone gives about passwords, along with making them strong and unique to every service and account you create.
I haven’t done that in years, though, because one of our resident security experts, Neil. J. Rubenking, pointed out that the “should do frequently” part is now outdated advice.
When the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, they used a lot of science-talk to discuss information security standards and “memorized secrets”—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: “Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”
The NIST report also included an appendix about the Strength of Memorized Secrets, which discusses how it’s almost impossible for people to memorize passwords if they have forced “composition rules,” such as including a symbol, an uppercase letter, a numeral, etc.
“The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe,” NIST said.
The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)
Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password/phrase.
NIST agrees; its 2024 update to the Digital Identity Guidelines recommends password managers and has other suggestions for services and organizations that require passwords. Those include enabling “show password” since it’s highly unlikely anyone is hovering behind you to write it down, plus that reduces typing mistakes; locking out users after multiple failed attempts; monitoring for the use of dumb, over-used passwords; and employing multi-factor authentication.
Don’t Lie: How Often Do You Change Passwords?
Let’s get back to the frequency, Kenneth. That standard advice of changing your password every few months to a year is ingrained in most articles on the subject. A Google search on “how often should I change my password” returns a first result reading “every three months.” Most sites and articles say the same, with a few exceptions. And Feb. 1 is Change Your Password Day!
The story I wrote years ago about passwords that spurred all this included coverage of a survey in which PCMag specifically asked, “How often do you change your passwords?” About 74% of respondents claimed to change their passwords at a minimum of every six months. I don’t buy it. The cynic in me thinks people believe they are supposed to change passwords often, and don’t want to admit to us (or themselves) that they don’t. Perhaps they’re annoyed because their workplace or some service forces them into frequent changes.
Recommended by Our Editors
Stop feeling guilty! The experts told us years ago to quit making regular password changes. It’s time we listened. As long as your password is already reasonably strong and unique to every site and service, changing it frequently is not much help to you.
Unless it’s compromised in a data breach, of course, then change it immediately.
This isn’t going to stop certain entities from forcing you to change your password. Your boss or bank may take some persuading to cease showing that dreaded “Please enter a new password to continue” message every few months. They probably won’t let you re-use a password either, even if it was the strongest you’d ever created. They’re probably also going to continue to limit size and require special characters. Sorry.
But if you have a really good password for a service or account, you can probably keep it for life (or until there’s a breach). Just ensure it’s long, strong, and unique to the service.
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Eric Griffith
Senior Editor, Features
