Why you shouldn't change your passwords regularly

Here’s some surprising advice: Stop changing your passwords. But just how wacky is that idea?

password lead image
Wikimedia Commons

For obvious security reasons, I’m not going to tell you how lax I am about passwords. Suffice to say, when I was checking my router the other day, I did discover a couple dozen freeloaders on my Wi-Fi signal. So, probably, enough said.

I am, though, making attempts to correct matters, and have started to use more than just the lone, easy-to-spell letter "a," or easy-to-add sole numeral "1," at least for anything to do with money.

Why? Well, for one thing, many places now require me to. Plus, it’s a bit like the idea of not dropping garbage in the street, and wearing a seat belt. Public safety messages have bombarded me over the years, and I am now indoctrinated.

I don’t text when driving, and I know that I should change my password regularly. Therefore I am a responsible, good person.

Regular password changing

So I was gobsmacked to see writer Kirk Lennon’s gleeful advice last week: “Stop changing your passwords.”

Lennon, in his blog, argues that you don’t gain anything by regularly changing your password, because if your password is not compromised, you don’t benefit by selecting another uncompromised password; you just inconvenience yourself.

Lennon's theory evokes a couple of interesting points:

In the case of someone you know getting into your accounts, a password change every six months won’t help much, because the spying friend still has access to your stuff for the period between password changes.

If you change your password weekly, then that might help, but it’d be too onerous to actually accomplish.

He also says that if a script-hacking anonymous stranger gets into your account, the attacker will change the existing password immediately, presumably so the attacker can continue the activity without interruption. In this case, Lennon says, periodic password changing wouldn't do any good, either.

Brute force

Reddit user Whyamisosoftinthemid counters Lennon’s second argument, saying on Reddit that if someone hacks into a database and garners a list of user names and encrypted passwords, they then start working their way through them, and through brute-force, decrypt them.

“If you change your password regularly, by the time they decrypt your old password, it is no longer valid,” Whyamisosoftinthemid says.

Lennon, as you can imagine, doesn’t agree with that, and says that Whyamisosoftinthemid’s scenario is overly contrived because you might have just changed your password the night before the hacker stole the list, and that hackers wouldn't sit on passwords for weeks.

In any case, over a period of weeks, the site’s security team will have discovered the hole and gotten the users to change their passwords, he thinks.

When should you change your password?

Lennon isn’t saying that you shouldn’t ever change them. He thinks that you should if you’ve shared a password with someone you no longer trust; when you’ve logged in from a public or friend's computer and can’t remember if you checked the “do not save” box, and also in cases where you’ve been generally careless with the password.

The problem with passwords

Another point Lennon makes is that it’s difficult to keep coming up with hard passwords, and by constantly being forced to come up a new one, there’s a chance that they’re not going to be particularly good ones.

"The point is that it’s generally never a good time. If your password is good and uncompromised, you gain nothing by changing it, and constantly changing good passwords just means you’re more likely to use bad passwords instead," he says in Reddit.

Bad passwords could include those that have to be written down somewhere.

"If people can keep a password indefinitely, they can choose a much harder one," he says in his blog.

"My position is that regularly changing good passwords provides, for almost everyone, only a nominal increase in security.

“Everything has a cost and I posit that it’s just not worth it,” he says.

So, no places of birth, either? Now what was the name of that cat I used to have?

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022