banner
Home / News / Thoughts on scheduled password changes (don’t call them rotations!)
News

Thoughts on scheduled password changes (don’t call them rotations!)

Oct 01, 2023Oct 01, 2023

We’re all still using passwords on many, perhaps most, of our accounts, because we’re all still using plenty of online services that don't offer any other sort of login system.

Just today, for instance, I paid membership fees to a cycling-related group that asked for my postal address so it could send me my membership card, which I thought was a delightfully simple and old-school way of letting me retrieve my membership number in future while out on the road.

In the sort of cold and soggy weather you get for much of the year in England, digging out a mobile phone, waiting for a signal, taking off your gloves (they’re not much fun to put back on when you’re winter-waterlogged), and fiddling around with apps, websites, passwords, 2FA codes and more…

…well, it's just not as easy as finding a waterproof, crash-proof, no-batteries-required, plastic card with your basic details on it.

But along with my payment confirmation, informing me that my membership card was on its way, was a reminder that if ever I wanted to renew my membership, or to request a replacement waterproof, crash-proof, no-batteries-required, plastic card (sadly, they aren't loss-proof), I’d need to create an account on the group website, so why not choose a password right now?

Simply put, to avoid the need for a password in the first place, I’d need to create one in the second place.

And whenever passwords come up, a long-running question comes up too:

Should you change all your passwords all the time to make them fast-moving targets for cybercriminals, or lock in really complex ones to start with, and then leave well alone?

Indeed, that was the issue facing a long-term Naked Security reader this very morning, whose own IT team were on the horns of this very dilemma, possibly because of a cyberinsecurity near-miss that they’d just experienced first hand.

Which is better?

Complex passwords or passphrases that may not get changed often, or poorly-chosen passwords that are changed regularly?

Our thoughts on the matter are as follows:

Regularly changing your password doesn't magically make it a better password.

Only choosing a better password in the first place makes it a better password! (This is where password managers can help.)

Naked Security Live – What if my password manager gets hacked?

In other words, we suggest that you first address the problem of helping your users to choose decent passwords, then encourage them to recognise cases where they should change their passwords right away, without needing a timetable to tell them to do so…

…and only then should you worry about whether you really need a "regular changes regardless" password policy as well.

Demanding password changes every month when you simply don't need to is just inviting people to save their new passwords insecurely, or to choose new passwords sloppily, or to rotate through a repeating sequence of N related passwords, or of only ever updating their passwords every 30 days, even in emergencies.

Having said that, locking out users who haven't accessed specific company accounts for a certain time is a good idea. (This also guards modestly against forgotten accounts, because they eventually expire automatically.)

Locking users out for inactivity is more intrusive than simply forcing them to reset their passwords regularly, and therefore unpopular.

But if someone has a company account login that they aren't using, why not push them to justify in person why they still need it after they haven't used it for, say, six months or a year?

After all, if it's a login for a product or service that charges a per-user fee… you may even be able to save the cost of their subscription.

And if they genuinely don't need the account any more, you’re helping them to stay out of trouble by preventing rogues and cybercrooks from doing bad things in their name.

Follow @NakedSecurity on Twitter for the latest computer security news.

Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Should you change all your passwords all the time to make them fast-moving targets for cybercriminals, or lock in really complex ones to start with, and then leave well alone? Changing passwords regularly isn't an alternative to choosing and using strong ones. Forcing people to change their passwords routinely may lull them into bad habits. Scheduling password changes may delay emergency responses. @NakedSecurity on Twitter @NakedSecurity on Instagram