Never change your password ? Not sure I would agree to Glenn

The school I teach at insists we change our password every 30 days. For several years this was not the case and I had a very long, difficult to guess password. Now that we are having to change them every 30 days I am now using a much weaker and shorter password.

Our work accounts are linked to Office 365 for email, document sharing, etc. However, we use two factor authentication on the remote systems. Yet like @ryanjamurphy we still have to change the password every 30 days.

1 Like

My employer and one of our biggest customers both require me to do that (every 90 days), but even NIST (which introduced this “best practice” in 2004) now recommends against this:

The article lists a few good reasons to change a password (but just the passing of time is not one of them):

  • When weak or reused passwords are identified and need to be replaced with strong, unique passwords.
  • When there is evidence to suggest a password has been compromised – for example, if it appears on a data breach list.
  • When employees who have access to a shared password leave or work on remote systems which do not log shared password usage.

Quantum computing might indeed (one day) be a gamer changer.

But for now I make sure my passwords are strong from the start and I don’t feel the need to change them every now and then.

1 Like

My experience across many different organisations, including universities is that this is still very common.

I put it down to two things:

- It’s aimed at the significant number of users that use insecure passwords - I still think it’s a minority that take any care over this

- IT departments are slow to change procedures, too easily bound by “that’s the way we’ve always done it” and convinced that users are stupid and lazy and therefore need to be kept on a very short lead.

I use 3-5 word passphrases by choice - but I have yet to work in an organisation that accepts spaces or that doesn’t mandate (repeat after me) “At least one upper case character and at least one number”

I agree with Glenn, and I believe passwords need not be changed given the following is practiced:

  • Unique login email for each platform
  • Unique strong password for each platform

Glenn’s reasoning follows from these, and the two points are not apparent in the article title.

Instead of spending time changing passwords (which is an exercise covering hundreds of sites), I’d rather spend the time on other things e.g. reviewing my online profiles/plugins periodically and removing/revoking permissions to those I no longer use. (And of course, one can argue that saving time is saving lives/avoiding harm: after all, wasting time is akin to killing oneself slowly.)

1 Like

For personal use case, I think mostly everybody is safe by using unique strong passwords combined with 2FA, and there is no need to change the password ever unless there is some kind of breach on the affected service.

For corporate accounts we are out of luck and have to come up with new passwords every couple of months due to obsolete security governance procedures, it’s terrible.

1 Like

Usually happens on corporate systems. This makes me cringe when I put a strong password and the system refuses because it does not exactly match their preset weaker rules. Although it’s atrocious, it’s the lesser evil from a security perspective as it’s better to alienate your bunch of security savvy users than having most employees use absolutely stupid, guessable passwords. And if you strengthen the rules then you have your own users request help from Helpdesk because they forgot their credentials, if they did not use a post-it note on their monitor to remember it.

My experience may be different from others -

  • Some financial institutions still would not allow password more than 10 digits and only alphanumeric, no special characters
  • They only allow SMS as 2FA, which is not the strongest MFA arrangement

You’re right. What does it take to perform SIM-doubling? I guess it needs to be a more targeted attack including social engineering with the mobile carrier, right? But when thinking of targeted attacks, I can easily be targeted on the street near any ATM or when coming back home.

My bank does allow 20 character passwords and requires upper, lower, and numerical. But it only offers SMS 2FA. SMS is better than nothing, but just barely. We desperately need a secure replacement.

I’ve visited an ATM once since the pandemic began but still haven’t used any cash.

I was wondering about this, now that 1Password and Fastmail partnered on “Masked Email”.

What do others think about this?

I have a few private domains and use one to create unique email addresses for each new account I create. Now instead of using my original gmail address for all my routine accounts (which I did for years) I have logons like paramount@mydomain.ext or netflix@mydomain.ext, etc.

The advantage of this is the ability to turn off an address if it starts being abused (instead of relying on a spam filter). Or in the case of streaming services, etc. that I only use occasionally, I can easily filter out the “please come back” special offers they send went I’m not paying them.

If I were a fastmail user I would definitely consider using this.

Best practice advice was changed a few years ago. Changing passwords regularly encourages people to choose weaker more memorable password.

So unless you believe your password to be compromised. don’t change it.

Use strong passwords and where possible Multi Factor authentication.

1 Like

Of course making people constantly change their password - to the average person - actively encourages them to use weak passwords, re-use old passwords, etc.

Those admin people concerned about those weak passwords could always just compare the password you’re trying to set with a database like the one at HaveIBeenPwnd and see if it’s in there. If not, reject it. :slight_smile:

Because it takes a considerable amount of time if you’re doing it on a number of websites. Because changing it doesn’t provide any inherent benefit. Because from a tracking standpoint, it introduces another point of failure into your password management. And…

If the tech companies are storing your password in plain text, changing it doesn’t matter in practicality. The employees at that company can already access your password - and that’s a far bigger security issue than a breach.

If they’re not storing your password in plain text, breaches don’t matter from a practical standpoint if you have a strong password. See my longer comments above.

And in any case, if they got your password for a given site they’d have your password for that site - not any other Internet account passwords.

Agree 100% with that list. And nothing on that list really applies to somebody that’s using software like 1Password and generating good passwords for all of their logins.

But I think best practices will be determined after the fact, not preemptively. For example, if quantum computing lets hackers rip through 70,000 hashes of 50-character 1Password “gibberish” passwords and extract them in real time, changing your password to another 50-character 1Password “gibberish” password - that’s then hashed by the same algorithms - will have zero effect in practicality.

That’s not a good reason to spend a ton of time constantly rotating passwords now.

How important do you think this actually is, as long as somebody uses different passwords for everything? To me the main benefit would be that it doesn’t allow other metadata to be tied, and wouldn’t actually have much to do with security.

Out of curiosity, which financial institutions are still only allowing 10 characters? I’d be very tempted to put my money somewhere else if at all possible. :slight_smile:

Too many websites still limit password lengths to either 8, 10 or 16 characters. It’s so bizarre.

1 Like

I don’t disagree, but sometimes an organization has no choice. At my last company we took credit cards and several years ago all the major credit card companies formed the Payment Card Industry. From that point on we had to comply with all their requirements including requiring passwords be changed every 90 days in order to accept credit cards for payment. Fun times.

BTW, they require password must be at least seven characters long :rofl:

1 Like

Yes, I agree that the main benefit stems from difficulty in linking the login to other metadata. It may provide some benefit if the email is the login ID - another additional point to crack (assuming the hacker does not already have the information); and I can easily identify the source of spam/phishing emails and shut it down.

I am really fascinated by this point (and also mentioned by others above, I think) - unintended consequences in policy design.

It’s a function of the fact that most people don’t use password managers - they use the same passwords over and over.

“Come up with one really good password” isn’t all that hard for most people. “It’s been 60 days - come up with another good password” - that one is harder. And once they’re asked for the fifth or sixth time, it’s something like their dog’s name followed by “123”, followed by an exclamation point or a question mark.

It also leads to passwords being written on post-it notes on their computers, and text files on the desktop called “Passwords” with the passwords they use.


it’s a while since I dealt with PCI. i’d forgotten about that.

1 Like