The common advice of frequently changing passwords, such as every 30, 60, or 90 days, is now considered outdated and potentially counterproductive. This practice, once a standard for security, led to issues like password fatigue, where individuals, overwhelmed by the need to remember multiple passwords, often resorted to creating weak, easily guessable passwords, or made only minor variations of their previous passwords.
Recent guidelines from the National Institute of Standards and Technology (NIST) have shifted the focus from frequent password changes to creating stronger, more secure passwords. Key aspects of these guidelines include:
- Longer Over Complex Passwords: NIST emphasizes the importance of password length over complexity. Instead of complex passwords that mix upper and lower case letters, numbers, and special characters, which can be predictable and weak, NIST suggests longer passwords or passphrases, up to 64 characters. These are not only more secure but also easier for users to remember.
- Avoiding Frequent Resets: Regularly resetting passwords can be burdensome and often leads to the creation of weaker or similar passwords. NIST advises against frequent password resets unless there is suspicion of a compromised password.
- Screening Against Breached Passwords: Newly created passwords should be checked against lists of breached or commonly used passwords. This helps in preventing the use of compromised, common, or repetitive passwords, which are vulnerable to attacks like password spraying and brute force.
Additionally, there are specific scenarios where changing passwords is crucial:
- If a service you use reports a data breach.
- Receiving unauthorized access notifications for your account.
- Encountering malware or viruses on your device that might compromise passwords.
- After using a shared or public computer, due to the risk of keyloggers or other spyware.
- If you’ve shared a password with someone else, particularly if it’s no longer in use by them.
For general maintenance, it’s suggested to change passwords approximately once a year. This strikes a balance between security and usability, reducing the risk of creating weak passwords due to frequent changes.
In summary, the focus has shifted from frequent password changes to creating longer, unique passwords and changing them in response to specific security concerns or on an annual basis. This approach balances security needs with practical usability, addressing the challenges of password fatigue and the risk of weaker password creation.