How often should you change your passwords – and when?

You don’t really have to change your passwords every 30 days to be secure online except in certain situations. In those instances, you should change them at once.

Until recently, security specialists recommended changing your password every 60 to 90 days. Today, security guidelines have progressed with more secure password security practices that keeps you from having to continually reset them.

Unless you find out your passwords have been compromised or are at risk, there is no reason to change them. Actually, it could be to your detriment to change them often. In doing so, it could prompt the use of simple passwords or saving them on browsers, which is what hackers would like you to do. Don’t do either!

To avoid confusion with everything you hear or see about how often you should change your passwords, here are ways to practice good password hygiene.

Password Assessment

Data breaches are beyond your control and, as a result, you cannot always keep bad actors from taking possession of your credentials. Monitoring your online accounts is the best way to know if your accounts are at risk.

If you use a password manager, it may include Dark Web monitoring or have a built-in password health monitoring tool. If so, you would receive an alert that notifies you when your credentials show up on a data breach list. Some monitoring tools can also detect passwords that have been compromised in the past, recycled, or have a combination of weak characters. To find out if your email and/or phone number have been compromised, go to haveibeenpwned.

Never Save Passwords in Your Browser

Several web browsers provide you with the option to save your passwords when you log into a website. Choose never to do so otherwise you are putting yourself at risk. Desktop web browsers are subject to malware and generally do a poor job of protecting your passwords, credit-card numbers and personally identifiable information. Further, anyone who uses your device can use your browser to log into your accounts without having to authenticate their identity. In lieu of using your browser’s credential management tool, use a reputable password manager, such as Bitwarden, 1Password or Apple’s iCloud Keychain.

When to Change Your Password

How often does IT at work require you to change the password on the computer or other devices you use for the office? Nowadays, every 60 to 90 days is too often. It used to be common practice, but not anymore. Today’s recommendation is to use a long and unique password (or passphrase) or a password manager.

What makes a strong password is that it’s long (no less than 12 characters), has unique characters and numbers and is impossible to guess. Additionally, never reuse it for more than one account.

More password best practices

• Use a password manager, such as Bitwarden, 1Password or Apple’s iCloud Keychain
• Do not use your name nor common phrases
• Use a password and/or passphrase generator, such as Bitwarden’s
• Never save your passwords in your browser
• Use multi-factor authentication (MFA) where you can or an authentication app
• Audit your existing passwords for strength, compromises and reuse

Now that systematically changing your password every few months is no longer a necessity, there are times when updating your password is needed. In certain circumstances, regardless of how watchful you are, situations can happen that require you to act after they occur.

Below are instances when you should change your passwords:

Security Breach

When you are notified by a service provider or website that a security breach has occurred, change the password associated with that account.

Malware or Phishing Attack

Changing your password after a malware or a phishing attack may not lessen all the damage they’ve caused; however, it can keep hackers from continuing to access your accounts or impersonating you. When changing your password on the affected account, be sure to do so on a different device.

In addition, keep your devices and software updated, think twice before clicking links, opening attachments, or downloading anything to avoid future attacks.

If an Attempt has Been Made to Access Your Account

Should you get an SMS unauthorized-account-access alert, check your account immediately to make sure nothing has been stolen nor any changes have been made and update your password. Turn on multi-factor authentication while you’re at it.

When Another Account is Compromised

By now, everyone should know to never use the same email and password combination for your online accounts. If one gets hacked, they’re all at risk. Use a password generator to create unique passwords for every site, even if you haven’t been hacked.

After Password Sharing

A lot of password managers allow credential sharing between contacts, especially those used by businesses. Some password managers allow you to designate the amount of time you want to share the credential while others make you turn off sharing manually. After the credential has been used by the person it is shared, remove the access that was given to them. If you have any reservations about the account’s security after sharing the credential, go ahead and change the password.

Conclusion

If we can help you with this or your company’s unique demands, Connect with a Client Success Manager to schedule a time to discuss your needs and how we can meet them.