It's 2024, and we still have passwords. Yes, there are options to get rid of passwords, but for the masses those options are still a bit out of reach, so we still have to deal with them as best we can.
A key question I get is "how often should we change our passwords"? It's a tricky one to answer, and different people will have different answers, depending on the circumstances.
For a company, it's pretty standard practice to require password resets at regular intervals for staff. So if password details are lost, maybe when the criminal tries to breach the network from a remote location in a few months, that password is no longer valid. Maybe a criminal is on the network already with those credentials, and they become invalid, blocking their activity. So yes, this is certainly a valid case for changing passwords. And let's not forget that in a company setting, you might only have 1 password to remember, because the IT people can log you into different services with that single password, so it's a very important piece of information.
At home, you might certainly have some pretty important passwords too, like your online banking password. You might have tens, or even hundreds of passwords. So suddenly it's impossible to remember them all, and a lot of people will resort to using the same password for different services. Now losing that password becomes a big problem!
Password Basics
So, let's start with some basic, solid password management advice:
- Use a password manager - this is software for storing and protecting all your login details.
- Ensure that your passwords (stored in the password manager) are:
- Long - the longer the better.
- Complex - use uppercase, lowercase, numbers, symbols etc.
- Unique - so if a password is lost, the criminal can only log into one service.
- Use "multi-factor authentication" (MFA) wherever you can. e.g. You log in with your username and password, and if you're are logging in from somewhere new, it will ask you for a code. If that code is sent to you in an SMS, that's better than nothing, but it's not great. It's far better to use "authenticator apps" which provide one-time codes that regularly change, and these codes are tied to an account (e.g. Google or Microsoft) rather than a phone number.
- Coming back to number 1, use MFA on the login for your password manager, and make sure the login password is long, complex and unique! Here, a passphrase can be useful. e.g. Pick some unrelated words, stick them together, add capitals / special characters etc. This will be the one password you actually have to remember.
The Answer
So assuming you're doing the password basics properly, this is my answer.
Yes, it's reasonable for companies to require you to change your password regularly - it's a key entry point for criminals, and the costs and damage to reputation from a data breach can be staggering. But, the risk is that people will make minor changes to their current password. e.g. "dogeatsspinach12" becomes "dogeatsspinach13", and a criminal knows people will do this. So if a company does force password changes, it's good to not make them too frequent, so people are more accepting of making new, decent passwords each time. Hopefully at work they're using MFA too.
At home, frankly I don't bother. All my passwords are long, complex, and unique, and I use MFA where it is offered. The likelihood that someone will guess one of my passwords is close to zero. And if they do manage to get it somehow, the account will likely have multi-factor authentication on it anyway. I have literally hundreds of passwords, and it's a time-consuming process to work through every account to change it, and record the new details. In reality a criminal would only ever breach a single account, and that's incredibly unlikely.
Of course there will be times that you have to change your password. e.g. After a data breach, or you discover malware on your devices etc. So if this happens, act fast because you're in a race to change that password before the criminal does (and they will put on MFA to lock you out)!