Kirk Lennon

Stop Changing Your Passwords

Published by Kirk on .

In the aftermath of Heartbleed, users of web services have been widely exhorted to change all their passwords, and reminded that they should be changing them regularly. Such advice is passed around as an accepted, near-axiomatic best practice, but is it? Should you actually be changing your passwords regularly? Or ever?

Let’s first make an obvious observation: Your user account for a given service is either compromised, or not. And consequently the simple act of changing your password doesn’t do anything to improve security; it’s just more security theater—like the TSA but without the strip-searching. If it is compromised, of course, you obviously should try to regain control and change the password. But what if it’s not? There’s zero inherent value in changing an uncompromised password to a different uncompromised password. If your password is compromised today, it doesn’t really make a difference if you changed it last week or last year. You’re not making it any harder to access your account; you’re just making it harder on yourself.

When should you change your password?

There are two common situations where an account is compromised:

  1. An anonymous stranger uses scripts to hack into poorly-secured accounts in an attempt to profit (by making fraudulent transactions, etc.)
  2. Someone (usually personally known, except in the case of celebrities) gains access to a specific target’s account, typically for social reasons, such as reading private emails, or perhaps posting embarrassing statements to a social networking account.

In situation 1, the attacker is going to immediately change the user’s password as soon as they gain access to the account, and try to finish their task as soon as possible, hopefully before the victim has even realized it has happened. This situation is, naturally, the most economically harmful, and it’s also one where periodic password changes are guaranteed to do absolutely no good at all. You will know your account has been compromised as soon as you try to access it, or your credit card company calls, or your friends start asking you why you have started posting racist links.

Situation 2 provides us with the only solution where changing your password is useful: someone is quietly spying on your accounts. But even this doesn’t support the call for regular password changes. Again, an account is either compromised, or not. If you change all of your passwords every six months, then a stalker could still read your emails or other messages for up to six whole months. So why not every week? Obviously that’s too onerous. So isn’t there some happy middle ground? No, there’s not. If you have no reason to believe your account has been compromised, then you have no reason why now is a good time to change your password.

So when should you change it? Have you shared your password with someone you used to be close to, but no longer trust 100%? You should change it. Have you freely logged onto accounts from friends’ computers and can’t be sure you at no point allowed the computer to save your password? You should change it. Did you log into your account while sitting next to a soon-to-be-ex-friend? You should probably change it. Can you not even remember if you’ve been careful with your password over the course of time you’ve had it? Change it and start fresh. But as long as you have been careful, then there’s no reason to continually change from one secure, uncompromised password to another.

But what’s the harm?

Many companies require period password changes, so you probably have some experience with what happens when you actually change your password regularly. You might be able to come up with a few really good passwords that you can remember, but nobody should be expected to come up with super-hard passwords for the same account every six weeks. The result is usually something along the lines of EasyToRemember1, followed by EasyToRemember2, incrementing each time with equally bad passwords. The other common option used is to just write the new passwords down, even though they know they shouldn’t. But can you blame them? There are painful limits to the human ability to remember. If people can keep a password indefinitely, they can choose a much harder one. Frequently changing passwords are easy passwords, and easy passwords are usually bad passwords

What are legitimate best practices?

So if you shouldn’t change your passwords often, what should you do?

You should use long, truly random passwords. As computers have gotten faster, it has become easier to brute-force guess near-endless combinations of passwords. But they’re still limited. As the length of the password increases, so too does the difficulty in guessing it. By combing through Wikipedia, and occasional situations where massive collections of stolen, poorly-secured passwords have been distributed online, password hackers create giant dictionaries of passwords that already include common (and uncommon) words and names. These known strings can be automatically pieced together into further combinations, which is why adding your graduation year to the end of your password doesn’t really make it that much harder to guess. And you don’t need to bother with formerly-recommended practices such as replacing Os with 0s or Ls with !s. It won’t do you any good, because the hacking programs also include all the oh-so-clever number/punctuation substitutions that people use. The only thing that works is using long, totally random passwords.

Ideally, you should use a password manager. This software lets you remember one super-hard password, and it takes care of everything else. The most secure passwords are ones that even you don’t know, and password managers make this easy to use in practice. An alternative is to use a tiered password strategy. Everyone knows you shouldn’t reuse the same passwords for all your accounts (and here the common wisdom is right), but there’s no need to take this to absolute levels. You likely have many different accounts, of varying degrees of value. Your email and financial accounts are very important and contain critical, private information. Each one of these should have a separate, secure password. But what about other accounts? Some news websites make you register in order to read more articles in a month. Maybe you registered somewhere to post a comment on a site that you’ve never been back to. These throw-away accounts just aren’t that important, so there’s no reason you can’t use the same easy-to-remember password for all of them. Life is about choosing your battles, and this is a situation where you can take it easy.