How Often Should I Change my Password?
Most computer experts and online security professionals recommend changing your Internet passwords and account login information at least once every three months. It may be safe for you to wait longer; it just depends on your computer habits, and how and where you surf the web.
Changing all of your passwords every three to six months can be a time-consuming and even a frustrating task, but it is a sure way to guarantee some level of safety for all of your online accounts. It is not the only safety precaution that should be considered for your login information, however. Whether you bank online or you are just sending a few simple emails, secure passwords are essential. It is also important to keep them all private. Avoid writing them down, even in your own home. Writing down a password is a quick way for an unauthorized person to gain access to your login information and every part of your online life.
Online passwords are used for everything from email accounts to website subscriptions and shopping accounts. Some of these online records even hold important financial information, such as credit card numbers. With phishing, identity theft, and other Internet crimes becoming more frequent everyday occurrences, it is important to choose a password that cannot be easily estimated or presumed. It is the people that use family or pet names that are the most vulnerable to Internet crimes. So choose a strong word and be sure to change it often. Changing your password is an easy task that can be completed in a matter of a few minutes.
How often a person should change it depends on the way that they use the Internet. It is best for people who habitually use public computers to change their passwords often. In fact, these people may need to change certain ones much more frequently than people who use personal computers and private Internet connections 100% of the time.
When changing your password, it is imperative that you keep in mind the following tips. First, choose a word that no one knows and no one would be able to guess. Then combine your chosen word with a selection or numbers or letters for extra security. Make it case-sensitive as well, since those that include both upper and lowercase letters are more difficult to figure out.
"Most computer experts and online security professionals recommend changing your Internet passwords and account login information at least once every three months"
Nonsense. Passwords should be changed only under the following three circumstances:
1) It's no longer a secret. Changing a strong password which is still a secret adds nothing in the way of real security.
2) You suspect it's no longer a secret. Changing a strong password if/when you suspect it's been compromised helps, but at the cost of choosing (thus exposing your method) another password and reducing usability.
3) It's weak. To do so at any other time, especially if forced by an ill-conceived policy, only promotes bad practice -- adding a "1" to the end, for example.
Live passwords have a finite value. They're only useful until they're changed. Of infinite value is knowing 'how' you choose your passwords; something which only frequent changes/breaches would allow.
If a security expert tells you anything else, I'd seriously question their credentials.
I used to change mine every three months for every account I have online, but it became a huge task. Now I just change the ones I most frequently visit, but only one or two letters/numbers or the case of the letters.
I've only ever had one account hacked and all they did was send out multiple emails to all my contacts, asking them for money. They never changed my security questions, so I managed to hack back into my own account, even though they changed my password. Security questions are really handy, especially when you've changed a password recently and can't remember where you put the upper cases or lower cases.
if you keep your password truly secret and don't let browsers "Help you" by saving your passwords, mandatory password changes are just an unnecessary pain in the backside.
Check out keepass. Using this software you could use randomly generated and hard to crack passwords, but not have to remember them all.
Why change every three months? How much would my risk decrease if I changed every two months? How much would my risk increase if I changed every three years? As an IT professional, I have been trying to find this information for years. The "experts" seem to love throwing out a number, but I have never seen any real world data supporting their numbers.
@kentuckycat - Exactly. If you changed every password every three months, that would be quite a chore. I like jcraig's system of using one basic password for some websites and more secure passwords for really important sites.
@SarahSon - I've often wondered the same thing. I've heard from a couple people that using master passwords on phones isn't a good idea, but I don't know about computers. It seems like if you were using the Windows supplied program it might be okay, but I don't know if I would trust a program I downloaded online.
I've just been using the same password for most websites, and I've never had a problem. Of course, I'm no one really important, so people aren't itching to hack into my account.
@TreeMan - I'm sure those were a tense few minutes once you realized you couldn't get onto your computer. If you hadn't gotten around it like you did, you would have had to reformat the hard drive, which would have been terrible.
I work at a university, and they make us change our password every three months like the article says. It probably isn't the safest idea, but I usually just use the same password and change one of the characters in it every time.
I know changing your password often is important in case someone gets hold of your account, but it can be such a pain to keep up with sometimes.
@jcraig - Good suggestion. I never thought about coming up with a type of code for my passwords.
Something that happened to me recently was that I forgot the Windows password to log into my laptop. It has a fingerprint scanner, and that is what I always use to get on. One time, an update messed up the fingerprint scanner, and I couldn't log on. Luckily, I found a way to do a system restore without being logged in.
Once I could get logged back in, I found a password crack program that edited the system registry and deleted the password to my computer. Needless to say, after all that, I made sure I remembered the next password I put in.
@John57 - I completely agree. At first, when you just had to log in to a few major sites, it wasn't much of a problem remembering passwords. Now, if I made a unique password for every website I visit, I could have a whole notebook full of passwords.
What I have done is invent a sort of system for choosing and remembering my passwords. For all of the sites I visit on a regular basis like YouTube and such, I have a basic password with capital and lowercase letters, a number, and a symbol. That way, the password is still pretty secure, but easy for me to remember. Since I don't use it for any sites with a lot of private information, even if someone figure it out, they can't access my bank account or anything.
For site where I do have a lot of personal information like my email, credit cards, and bank, I use a unique password for each using the tips suggested above. To remember them all, I actually do write them down on a piece of paper I keep hidden near my desk, but I put them in a type of code, so even if someone found the paper they'd have to understand what the symbols meant to know the password.
I have always wondered how safe the services are that automatically fill in the password for you?
You might be fine as long as nobody else every uses your computer. If your computer was stolen or an unauthorized user had access to your computer, they would be able to log in to every account.
The only thing that might stop them would be if the site required you to answer security questions. This is seldom done on a home computer you use on a regular basis.
If you aren't supposed to write your passwords down anywhere, how can you remember all of them?
Most sites now require you to use a combination of letters and numbers along with upper and lower case letters.
If you have several different accounts you need passwords for, I don't know how you can remember all of them without writing them down.
If I have a site I don't log into very often, I have to use password recovery a lot because I can't remember the password. While this always works, it can also be a hassle.
I am getting much better at changing my passwords on a regular basis. When I first started using the computer, I had the same password for every account just so I could remember it.
This way I didn't have to worry about a lost password or not being able to log in to my account. Now I realize how important it is to have different passwords and change them frequently.
This is even more important if you shop online or use online banking. If you are just registering with a forum it would probably not be as critical.
Now I have a system where I change and rotate my passwords on a regular basis. Even though I rarely use a public computer, I think it is important to change them often.
How does changing a password that is already "strong" make it "stronger"?
What experts? Where do they say this? What is their scientific basis?
Post your comments