October is Cybersecurity Month. Let’s take a look at one of the primary forms of cyber security, your log-in password. Did you know that experts actually discourage frequent changes?
The Federal Trade Commission cautions businesses against implementing routine password changing procedures because they encourage users to use basic, easy-to-remember passwords that will be easy to predict.
Are Mandatory Password Changes Still Effective?
Password123! was a strong enough password to keep prying eyes from logging in on your device in the late 90s to the early 2000s. But in today’s world, passwords need to meet specific requirements: it has to be eight characters or more, with an uppercase letter, a number, and a special symbol. Some may require that the new password is not a repeat of your past few ones. (Source: HPE)
Data security has evolved as new threats have emerged, rendering previous security measures worthless. The long-standing cybersecurity measure we all know of is mandatory password changes. We usually get a prompt every 90 days that it’s time to change our password.
However, recent studies proved that this mandatory 90-day password change is no longer as effective as in yesteryears. The 90-day compulsory password change leads people to set weaker passwords since it is pretty difficult to remember sophisticated ones, especially if you have to input them more than a few times a day. People tend to use passwords that are easy to remember and use these passwords in multiple accounts.
And when the time comes that you are required to change your password, you’d reuse your previous one and make changes to the characters, like say change S to $. Intruders can easily hack these patterns of password changes once they get hold of any of your old passwords.
Studies around this topic have been published as early as 2010, and the Federal Trade Commission has already issued its official statement regarding this. The FTC reminds companies that the mandatory password update policy still offers security against cyber attacks. Still, companies should be updated with newer and better security measures relating to their specific fields. (Source: FTC)
When to Change your Password
According to Lorrie Cranor, Director in Security and Privacy Technologies of CyLab Security and Privacy Institute, changing passwords is not as often as we think we should. We can keep our passwords for as long as we want to, but we should change them the moment we encounter any of the following scenarios:
- If you have reason to believe that your password has been stolen
- If you had to share your password with a family member or a friend
- If you saw someone look into your mobile phone or laptop over your shoulder as you input your password
- If you inadvertently provided your password to a phishing website
- If you feel you need to change your password, for any reason not stated above (Source: FTC)
Some Guidelines in Creating Passwords
Depending on the password policy in your company, you may have seen several requirements in nominating your password. But you may also follow these simple tips in creating your strong password.
Never Use Personal Information
Avoid incorporating your name, birthday, or any publicly available information about yourself in your password.
Use a Longer Password
A password with six or more characters should suffice. Characters should be alphanumeric and have special characters when possible.
Avoid Using the Same Passwords in different Accounts
When possible, use different passwords for different accounts.
Consider using a Random Password
There are several password randomizer engines available. You may consider using a random password altogether. (Source: GCF Global)