3 min read

Busting myths: How often should you really change your password?

Radu CRAHMALIUC

November 22, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Busting myths: How often should you really change your password?

Since the beginning of time, security experts have been telling you to change your password periodically. And they’re right. It’s a reasonable precaution if you’re a company with 1,000 employees trying to mitigate every risk possible. But as a regular user, changing all your passwords every month, without a serious reason, is tricky and doesn’t enhance your security. Actually, it makes things worse. Here’s why:

Changing all your passwords every month is impractical. An employee has one, maybe two passwords to manage but an average user has 100 online accounts, each with its own password. That includes e-mail accounts, social media accounts, online shopping accounts and many others. Also, you probably have smart devices in your home that need a password. It’s unlikely you have the time or will to change all your passwords on a monthly basis. Moreover, all those passwords must be unique for each account, each month, you can’t repeat yourself and you’re supposed to remember them all. Which brings us to the next delicate problem.

Changing your passwords every month is useless, if all your passwords are weak. A 10-character password made up of only numbers can be brute-forced instantly. On the other hand, a 10-character password that uses numbers, upper- and lower-case letters and symbols, requires five years to crack, and an 11-character password, following the same pattern, requires 400 years to crack. That’s why, when choosing a password, longer is always better, and every extra character makes a big difference. But that’s not all: while names, phone numbers and dates of birth are easy to remember, try not to include them as they’re also easy to guess. Reusing an old password is convenient, except it’s dangerous because it might have been leaked in the past. Finally,if you use the same password for more than one account, come prepared: if one of those accounts is hacked, an attacker can take over all your accounts.

Changing your passwords every month is not enough. Even with the strongest password, accidents can still happen: your password leaks in a data breach, you get infected with password-stealing malware or you’re targeted by a phishing attack. If that’s the case, a password can’t help you. However, by adding multi-factor authentication (MFA) to your account, you can reject an attack 99.9% of the time. MFA consists of supplementing your password with another form of authentication, like a code generated on your phone, or a physical USB key, so that even if your password is compromised an attacker still can’t access your account.

Changing your passwords every month can be dangerous, because it gives you a false sense of security. Passwords are used by real people, not by theoretical models, and when real people need to change their passwords monthly, they look for shortcuts. They reuse old passwords, choose weaker passwords or create passwords they can remember easily. By trying to make their passwords better, they inadvertently make them worse.

In conclusion, instead of changing your passwords every month, it’s more important to use strong, unique passwords in a multi-factor authentication regime, and only change them when necessary.

A password manager can help you organize everything, because it generates randomized passwords for all your accounts, keeps them secure, fills in your passwords for you and saves you from having to memorize everything.

When should you change your password immediately?

  • If it’s a default password. Always replace default passwords with strong, unique, randomized passwords. A password manager can help.
  • If you know your old password is weak, or if you know it’s a password you’ve reused on multiple accounts.
  • If your account has been involved in a data leak. Generally, you’re notified. But, to be on the safe side, use Digital Identity Protection, a service that alerts you in real time if any of your accounts have been breached.
  • If you’ve been recently infected with malware.
  • If you notice unusual behavior regarding your accounts or if you have reason to believe your password was exposed

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Why iPhone Owners Should Consider Using an Antivirus Why iPhone Owners Should Consider Using an Antivirus
Filip TRUȚĂ

May 06, 2022

2 min read
Bitdefender’s Five-Step Privacy Fix Guide for Your Android Device Bitdefender’s Five-Step Privacy Fix Guide for Your Android Device
Alina BÎZGĂ

April 06, 2022

4 min read
Five Tips So You Don’t Get Cyber Duped This April Fool’s Day Five Tips So You Don’t Get Cyber Duped This April Fool’s Day
Alina BÎZGĂ

March 31, 2022

2 min read