Why its Better Not to Change Passwords Regularly
Why You Shouldn't Change Passwords Regularly
Experts used to tell us that you should change passwords regularly. that and some other rules like under no circumstances should you use your name or telephone number as a password. And also "123456" and "password" are not a good idea. Instead, think of long, complex phrases, and use a new password for each user account. But that has not changed people’s opinions about using better passwords.
Almost all Internet users should know these golden rules by now. Nonetheless, insecure passwords are still a widespread problem for two reasons: First, knowledge does not necessarily result in action - the most popular passwords by far are still "123456" and "password". Second, the first advice is completely nonsensical, and here’s why if you change passwords regularly, it won’t make much of a difference.
At First Glance, The Password Rule Seems Reasonable
Sometime earlier , the US FTC tweeted, "Encourage your friends and family to change passwords regularly and make them long, strong, and unique." Lorrie Cranor, who had just been appointed chief technology officer at the FTC, was amazed at her new employer. "I went to the social media officer and asked them about it," she said at a security conference in Las Vegas. The answer was: "It must be good advice because we change our passwords at the FTC every 60 days."
Regardless of this strange reason, the rule actually seems reasonable. It often takes months or even years to become known that hackers have stolen data. Hundreds of millions of logins for sites such as Linkedin, Myspace, Tumblr and Yahoo are currently sold on the deep web. All data comes from hacks that occurred several years ago. Anyone who has changed their password in the meantime has nothing to fear.
Regular Password Changes Hardly Bring Any Additional Security
But science contradicts the gut instinct. Tech blog Ars Technica has put together some studies that explain why it doesn't matter how often you exchange passwords. As early as 2010, researchers from the University of North Carolina at Chapel Hill (PDF) evaluated data from more than 10,000 former students and university employees who had to change their passwords regularly because the university's security guidelines dictated this. Her conclusion: "We believe that our study raises doubts as to whether it makes sense to add a kind of expiry date to passwords in the future."
Why Passwords Have to Be Abolished
The precautionary measure only increases security if a completely new password is assigned every time that has nothing to do with the previous ones. The practice looks different. "password" then becomes "password1", "passw0rd" or "pa $$ word". The majority of users change log-in data according to patterns that modern computers can easily predict. In addition, people tend to use weaker passwords from the start when they know they will change it soon anyway which only adds to the problem by making their passwords easy to crack from the start.
Last year, researchers at Carleton University in Ottawa (PDF) came to a similar conclusion. Most attack methods would not be ineffective if the password were changed regularly. The benefits are "relatively small at best" and justify the additional effort only in exceptional cases.
How to protect your passwords better
These studies have obviously also convinced the FTC. They have published an article named Advanced Password Tips and Tricks. In contrast to previous blog entries there is no recommendation to change the password frequently. Instead, it now says, "Change your password quickly if there was a successful attack." The FTC is thus guided by the advice of the scientists: act quickly in an emergency, but not without a specific reason.
In the opinion of many researchers, passwords are not really a worthwhile safeguard anyway . Biometric methods like fingerprint or face recognition also have their weaknesses , long and complex passwords provide better protection in many cases. Unfortunately, in reality, most people use bad passwords - compared to that, fingerprint sensors, iris scanners or speech recognition software would be the safe options. But in reality it will probably be a long time before people stop using passwords for logins.
Until then, it remains important to choose a secure password. As long as the golden rules mentioned above remain relevant. The length is more important than combining as many numbers, characters and special characters as possible: twelve characters are many times safer than eight. If you have more than a handful of accounts and want to assign a unique password for each, you are either should have a really good memory or should think about a password manager such as 1Password, Lastpass or Keepass.
Another measure is to use two-factor authentication on your accounts.This will add a second security check to the password. In order to log in, an additional code is required, which you can receive, for example, by SMS or email, or view in an app on your smartphone. For criminals alone, the password becomes worthless - and for users, regular password changes are even more unnecessary than they already are.
What about Remote Client Security
Well by now you should be convinced that to change passwords regularly is a futile act. If you want to follow the tips given previously, you have to first select a strong password and then use two-factor authentication. But remote clients in windows don’t usually support two-factor authentication by default. So if you want to add that feature you have to use third party software.
SUN FIREWALL has thought of this a long time ago. In fact we have provided some really good features for protecting your account. Be it protection against brute force attacks , or on demand two-factor authentication.
The One Time Password feature of SUN FIREWALL, makes this really easy, it’s a kind of two-factor authentication that sends you new randomly generated passwords which are lengthy and secure whenever you want to login. That makes the change of passwords regularly futile because whenever you want to login to your remote client you can request a new password.
There is also a timed password feature that allows you to make the generated passwords time bound. This feature will let you define a time range (e.g. 9 am to 5 pm) so the password can be used only in that span of time and not be used afterwards. Check out the products section for an overview of the features SUN FIREWALL provides and try it for yourself.
All in all you can stop worrying about changing passwords for now, go tell your it department about the articles mentioned here and start using more secure passwords from now on. Next time someone tells you to change passwords regularly, you can tell them the ways mentioned here that work better.