How often do you need to change your passwords?
Microsoft says never, as long as they’re difficult to guess
So, let’s say your Windows password is JohnSmithOl. You know you should make it more complex, but you doubt you’ll ever remember it. A few months later Windows asks you to change it, but you’re busy, so you can’t think of anything stronger than JohnSmith02. That becomes JohnSmith03 the next time you’re nudged, setting a pattern that repeats for years.
Sound familiar? Being regularly pestered to change your details can quickly lead to password fatigue. You realise you should spend more time coming up with an impregnable password, but the task quickly sinks to the bottom of your to-do list. And at the back of your mind the nagging thought remains: is it really necessary to change it so often?
Now we know the answer: no, it’s not. It never was. Microsoft has become the latest of many technology companies to speak out against this practice. It recently proposed scrapping the “ancient and obsolete” policy that requires users in organisations and companies to change their Windows password every few months, The problem isn’t that regularly updating your password is annoying (though of course it is). No, Microsoft’s chief concern is that it’s a profoundly unsafe way of protecting your PC.
Writing online (www.snipca.com/31424), Microsoft’s Aaron Margosis said humans are rubbish at
Swap JohnSmith03 for j%hN5m!Th0o04, and leave it for three million years
computer security. When we’re asked to create passwords, they tend to be “easy to guess or predict”. When forced to make them hard to remember, we “write them down where others can see them” – it’s what Post-it notes were invented for, after all. And when prodded to change passwords, we make “small and predictable alterations” – such as turning JohnSmithOl into JohnSmith02 – that hackers could work out.
Mr Margosis also points out that if a password has never been stolen, there’s no urgent need to replace it. But if it has been hacked, you should change it straight away, not wait until prompted weeks later. By default, Windows says you should change your password every 42 days, which Mr Margosis admits is a “ridiculously long time” to wait if you’ve been hacked.
What’s the answer to this password paradox? Microsoft recommends other tactics, including two-factor authentication, banning unsafe passwords, and software that detects hackers trying to log in. Companies are increasingly adopting these measures to keep their systems safe.
Microsoft’s policy, which it calls its ‘security baseline’, doesn’t apply to home users, so you’re probably not pestered to change your password as frequently – on Windows, at least. Other services would’ve asked you in the past, though, and you may have read advice that changing passwords regularly was essential.
Security experts like Mr Margosis now think the opposite. Yes, you should still change your password if a service tells you it has been hacked, but there’s no point doing so otherwise. For many people now, the solution is to use a password manager such as LastPass or Dashlane.
Microsoft’s message feels like a welcome slice of sanity. For years, ordinary PC users have bowed to experts’ supposedly superior knowledge, and altered their passwords on command. But these days, following so many privacy and security scandals, people are less likely to accept such advice at face value.
Back to that bothersome password, then: swap JohnSmith03 for j%hN5m!Th0o04, and leave it for three million years, which Dashlane says is how long it would take to crack. We’ll catch up in Issue 7,822,038 to see whether it worked.
THE FACTS
• Microsoft is considering scrapping its policy of forcing some users to change their Windows passwords regularly
•It says using strong, unique passwords is more important than frequently changing them
•Windows currently suggests users in organisations change passwords every 42 days