How Often Should You Change Passwords? (& Other Password Guidelines)
Be honest - how often do you forget your complex password and then resort to constant resetting?
Many of us manage multiple online accounts, from banking to social media, which leads to the common dilemma of choosing between strong, complex passwords and ones that are easy to remember but potentially insecure.
Many companies also require complex passwords as part of their Standard Operating Procedure (SOP) for online accounts, but people often forget them because they’re too complex.
Is there a middle ground?
At Intelligent Technical Solutions (ITS), we understand the difficulties of maintaining password security while balancing convenience. We are dedicated to demystifying password security for both individuals and businesses.
This article promises to share exactly how long you should hold on to a password and provides the latest insights and practical tips for effective password management. We invited Ed Griffin, Security & GRC Executive at ITS, to add his insights into this topic.
By the time you’re done reading, you'll be equipped with actionable strategies for creating stronger passwords and managing them efficiently, ensuring your online accounts are well-protected.
How often should you change passwords?
The advice on how often you should change passwords has evolved over the years, reflecting changes in technology, security threats, and understanding of user behavior.
Instead of adhering to a rigid schedule (e.g., every 90 days), passwords should be changed based on a risk assessment.
Ask questions like:
- Has there been a breach or security incident?
- Have you realized it’s a reused password?
- Is sensitive or easily guessable information included in the password?
If you answer “yes” to any of these questions, it's time to change your password. Immediately update your passwords if there are any signs of a security breach or if you suspect your password has been compromised.
But you might also be wondering – why shouldn’t you routinely change your password anymore?
By requiring you to constant password changes, you're counterintuitively weakening your password strength. First, password changes no longer constitute a red flag for administrators, making it less likely for them to catch a hacker doing the same thing.
Secondly, constant password changes – especially for people with no password manager – often result in weaker passwords for easier memorization.
However, some government guidelines still require scheduled password changes. For example, the latest PCI DSS and HITRUST standards still require changing user account passwords every 90 days.
In these scenarios, if you’re a password administrator, you should evaluate your needs and decide whether constant or minimal password changes fit your organization better.
What other password guidelines should you know?
So, as a company, where does that leave you when creating strong passwords? Here are some more guidelines to help you with this task:
1. Implement security awareness training.
While not directly correlated to building a strong password, it’s your responsibility to regularly educate employees about the importance of security hygiene, including the use of strong passwords, recognizing phishing attempts, and securing their devices.
“Password management best practices... it's like herding cats,” Griffin explained. "There's no way to have folks completely adopt them. Even if an organization agrees with our concerns, understands the risks, and has a desire to implement good security, when it's time to go through, there's always someone who doesn't want to do it.”
He points out that there will always be team members who are non-compliant. Maybe they don’t understand why they should follow the guidelines, or they put off implementing them, or they think they know better.
“There's always going to be a resistant sub-population, but all we can do is continue to educate and challenge them, and hopefully, over time, most folks will be compliant.”
2. Deploy password assessment tools.
Deploy strong password assessment tools to encourage or enforce the creation of strong, unique passwords or passphrases that:
- Are random passwords or long passphrases
- Are at least 12+ characters long (the longer, the better; longer than 16+ is ideal)
- Do not contain any mix of personal or website information
- Are an optional mix of special characters, numbers, and upper- and lower-case letters
- Are not common passphrases, sequential letters/numbers, or repetitive letters
Password management systems like Keeper will help provide the oversight needed to enforce these rules.
“Companies should have some centrally administered password management platform,” Griffin said. “From that, we can do things like analyze which users are logging into the password management system regularly. And even though we might not be able to see what the passwords contain, we can see how many secrets they have stored and how often they are accessing their account.”
“So, that will help identify users who are not using the system and thus likely are non-compliant with password best practices.”
3. Use password managers and active directory
Encourage the use of reliable password managers and a centralized active directory. These tools can generate and store complex passwords for each of your accounts, reducing the need for frequent changes due to forgotten passwords and making it easier to use unique passwords for every service.
When asked about the security of having a centralized password system, Griffin said:
“We're going to have many more defensive layers around that single system than we could when we had 1,000 different individual independent systems. Sure, nothing is 100% safe from compromise, but bad actors, if they're going to get into our stuff, they're going to have to be serious about it.”
4. Require multi-factor authentication (MFA)
If possible, enable multi-factor authentication (MFA) or two-factor authentication. This adds an extra layer of security, making it significantly harder for attackers to gain unauthorized access even if they have a password.
Ready to implement better password security?
Boosting your password security isn't just about changing them on a set schedule. It's about getting to know the ins and outs of your digital world, understanding the precious data you're safeguarding, and keeping an eye on the ever-evolving threats.
Think of password security as a journey—one where you're constantly learning, adjusting, and staying on your toes. It's about staying updated with the latest cybersecurity, ensuring your team is on the same page, and actively using the best strategies to keep your business safe.
Looking ahead, let's take the tips in this article and check your network – get a free network assessment to jump-start your password cybersecurity journey.
Now’s also the perfect time to start using these resources to protect your network: