Security Advise


#1

How often should one change the WiFi password? With all the additional things on WiFi at home, changing a strong password too regularly seems like a pain.


#2

The recommendation about changing passwords regularly originated from an early NIST publication. The author of this recommendation has since admitted that it was something he just made up. There is no evidence to suggest that a strong password becomes less strong over time. The recommendation is NO LONGER part of the official NIST publication (see section 10.2).

Article on the topic here

However, if you have reason to believe it has been breached, of course you need to change it.


#3

Since everything inside my network (computers, shares, backups) is encrypted and password protected, getting acces to my WiFi isn’t a huge risk. You might be in my network, but you can’t access any data. So, no need to change the password often. When I rearrange my whole setup evey 2-3 years, I also change it.


#4

Make your password really long (mine is somewhere around 30 characters) and then don’t change it unless:

  1. You share it and are concerned about that. Most WiFi systems let you set up a guest network though, so it’s best not to share it.

  2. Your WiFi router/access-point has a serious vulnerability that might let others know what your password is.

  3. You’ve used that same password anyplace else. Don’t ever reuse passwords. If ever you feel the urge to reuse a password, get a hammer and repeatedly hit your thumb until the urge goes away (or is replaced the the even stronger urge to stop hitting your thumb with a hammer).

  4. You have reason to believe that someone is using your WiFi network without your permission.

Really, #1 is mostly what you have to worry about. Unless you have the urge to reuse passwords.


#5

If you use a good strong password there really is no need to change the password at regular intervals.

I would however recommend getting as many IoT devices as you can on a separate network for added security (regardless of any password changes).

Here’s a very good walthrough by Allison Sheridan and Bart Busschots on the nosillacast podcast of Steve Gibson’s three router priciple:

or the same described here:

https://www.pcwrt.com/2018/06/beyond-three-dumb-routers/


#6

Frequent password changes are a bad idea. Good explanations below.

  1. https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html
  2. https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html
  3. https://www.sans.org/security-awareness-training/blog/time-password-expiration-die

#7

Frequent password changes are actually a BAD idea. In corporate settings, Windows is often set up to request a password change every few weeks: since most people don’t use password managers, they tend to use very easy ones because they need to remember a new one every few weeks. Also, a password manager is not so helpful because it doesn’t work at the login screen. So, by implementing the “make users change passwords often” rule, less secure passwords are used. If your password is useable for at least a year, you`d rather have a password like eir9ui1Ei$ngei1Ai. If people are forced to change passwords one a month, the rabbit2, then rabbit3, then rabbit4, and so on, happen.