
Changing passwords periodically plays a critical role in cybersecurity, whether you’re running a business or managing personal passwords. Unfortunately, passwords are often forgotten while other security practices – like encryption – take center stage.
Refreshing your passwords should be as routine as making sure your phone is secured in its case before leaving the house. While not everyone agrees on how often you should change your password, you can make your own decisions once you understand the circumstances that put your accounts at risk.
Official, expert recommendations
Historically, cybersecurity experts have recommended changing your passwords every three months. This minimizes the risk of hackers gaining unauthorized access to your accounts after a breach. For example, by the time tech companies and ecommerce businesses report a breach, it’s usually been a while. In that span of time, hackers have already posted account credentials for sale on the dark web, and it’s just a matter of time before your account gets breached.
Unless you’ve signed up for alerts through Have I Been Pwned, you’re unlikely to ever realize one of your accounts has been involved in a breach. By changing your passwords every three months, you greatly reduce the risk of someone getting into your accounts after a breach you don’t know about. They may have stolen your data last month, but when you change that password today, the old one is no longer valid.
One compromised account can lead to more
Thousands of data breaches occur every month and no business is immune. It’s virtually guaranteed that your usernames, emails, and passwords are out there, either on the dark web or in a list owned by thousands of hackers. If any of your accounts share the same password, you can bet those hackers are going to try logging into accounts they don’t even know you have, like retailers that tend to save credit card data for future purchases.
Strong, complex passwords aren’t good enough
Many experts advise creating strong, unique passwords, and that’s great for protecting against cracks. But most hackers today aren’t genuinely cracking passwords – they’re stealing unencrypted data. Your password could be the most complicated series of letters, numbers, and symbols that require international keyboard settings to access, and it would still be equally vulnerable to theft as the password ‘123.’
Keystroke loggers still exist
Although they’re not widely talked about today, keystroke loggers are still being used to capture sensitive data, like credit card information and passwords. Keystroke loggers give hackers your full password no matter how complex.
Waiting for evidence of a breach is a bad idea
If you wait for a sign that your account has been compromised before changing your password, it will be too late. For instance, you don’t want to wait until your bank notifies you they’ve put a hold on your card for potential fraud. By the time you see the signs, you may not even be able to get into your account if the hacker changed the account information. It can be an inconvenience to change your passwords every few months, but the risks of not doing so can be devastating.
Two-factor authentication isn’t foolproof
Using two-factor authentication to log into your accounts can create a false sense of security and make you think it’s unnecessary to change your passwords. In theory, if a hacker obtains your login credentials, they can’t get into your account without accessing the code provided by your 2FA settings. But in reality, there are numerous ways hackers get around 2FA, like using Open Authorization or hijacking cookies to bypass the 2FA requirement. This situation is more common than you might think.
Contractors may compromise your account
If you gave contractors access to some of your accounts to perform work, but you didn’t change your passwords afterward, those accounts are a security risk. While your contractors may not intentionally cause harm, you don’t know where they’ve been keeping your credentials. Your login information might be in a text document on their computer, or somewhere in the cloud. In either case, if they get hacked, you’re at risk.
Don’t let hackers win
The longer a password stays the same, the greater the opportunity for hackers to exploit already compromised credentials. If you use the same password for multiple accounts, the risk is higher. Use strong passwords, but don’t forget to clean house once in a while. Changing your password periodically is inconvenient, but not changing your password is a gamble.