How Often Should You Change Your Password?


Network security is a concern for most organizations, and there are several ways to improve that, including updating passwords. But how often should you change your password? Are you still using the same password since college and have no plans to update it?

Well, you are not the only one, and that does not imply that it is okay. It is also interesting to discover that some believe that resetting passwords is as stressful as retiring. As a result, such people use the same or a very similar password longer than necessary oblivious of the fact that failure to update passwords or recycling them poses various online security threats.

Additionally, 66% of individuals in America use the same password for multiple online accounts, and 75% say that maintaining and keeping track of the passwords they use is frustrating. The unfortunate bit is that if you imagine that updating your password is exhausting, understand that sometimes, taking such an action can be the only thing preventing your company's sensitive information from landing in the wrong hands.

How Often Should You Change Your Password?

IT experts recommend that people should update their passwords after every three months. However, if you know you've been a victim of a cyber attack, you should change immediately. The intention is to ensure that if a password is compromised, a cybercriminal will only remain inside the hacked account for a short time.

If you do not intend to change your password from time to time, following the guidelines below on changing your password is advisable.

  • Change your password immediately if you believe your account is hacked.

  • Use strong, unique passwords.

  • Prioritize the use of a password manager to avoid memorizing or writing down your passwords.

  • To ensure that a cracked password does not compromise your account, consider using some form of two-factor authentication whenever possible.

Why Should I Change My Password?

It’s possible that the strategy you rely on to secure your company network is asking your fellow employees to change their passwords often. But do you take time to consider whether doing so is actively making your systems less secure? The reason is that your employees will potentially not put a lot of mental muscle behind changing their passwords regularly when you force them to do so.

The tendency for most individuals is to create passwords that follow predictable patterns known as "transformations." These may involve switching the order of special characters or digits, incrementing a number, adding or deleting a special character, or changing a character to a similar-looking symbol. These options are an all too familiar way of surviving the regularly scheduled slog, and that is understandable since that is how our brains work.

However, to avoid leaving oneself vulnerable to online attacks, the solution here is creating an unpredictable password. Such a password is not easy to come up with, and it is hard to remember. The bottom line is that you should focus on ensuring that your employees are using strong passwords. Otherwise, they will remain the weakest link that hackers target and eventually penetrate your business systems.

When to Change Your Password

Indeed, changing your password when someone with malicious intentions gets ahold of it can cut off their access to your firm's network infrastructure. That explains why most companies have a schedule requiring their employees to change their passwords at frequent intervals. The problem is that this approach is contributing to poor password practices, including;

  • Use of predictable passwords.

  • Creation of weak passwords.

  • Use of the same passwords for multiple online accounts.

So, when should you change your password? Here are 3 instances that you may come across.

1. When You Suspect A Device Is Compromised

If you believe that one of your accounts, like your social media account or email account, is hacked, consider changing the password immediately. Also, when your tablet, computer, or phone gets malware or is compromised, change the device's password and that of any accounts you access from such a device.

2. In The Event of A Data Breach

The minute you get word that your office data is part of a data breach, change the password and do the same for any of your accounts using that password. The reason is that a hacker will use the passwords they breach all over the internet to find out what else they may unlock. The concept is known as credential-stuffing. That explains why using unique passwords for your accounts is a wise idea.

Also, the right password manager can alert you immediately if your email address suffers a data breach, including details on the nature of the attack. In that case, you can tell which password you need to change.

3. When Logging into An Insecure Network

You cannot tell the nature of hardware keyloggers or malware running on a public device at any one time. That includes a tablet or computer at an internet café or the airport, which you may need to use on various occasions. As such, you cannot trust devices in such locations, and you should avoid using them as much as possible.

However, if you need to login into an insecure network for whatever reason, consider changing your password securely using your device via a trusted network.

How Do Passwords Get Hacked?

Online attackers have several password-hacking strategies at their disposal. Perhaps, the easiest option is purchasing your passwords off the dark web. Understand that hackers make big money from acquiring and selling login passwords and credentials on the black market. That suggests that if you are still using the same password after several years, there is a high probability that it is compromised.

However, if you are careful to keep your passwords off the aggregated black-market lists, cybercriminals have to crack them. Below are some of the approaches that ways attackers have passwords.

  • Guesswork.

  • Phishing.

  • Social engineering.

  • Shoulder surfing.

  • Offline cracking.

  • Malware.

  • Spidering.

  • Brute force attack.

  • Use of network analyzers.

  • Dictionary attack.

  • Rainbow table attack.

  • Mask attack.

How to Create A Strong Password

Here are tips for creating strong passwords.

  • Creating a good combination of 12 or 16 character passwords can be a challenge.

  • Using a password generator will come in handy in this case, which will go a long way towards protecting your online accounts and devices.

  • Avoid reusing passwords since hackers will try to exploit your old password as well as variations of it as soon as they land their hands on it.

  • Consider using a passphrase. That refers to a string of words that make sense of some sort when put together. An example is "Twenty Tots Sit On The Train," which is 23-characters long, and memorizing it should not be a problem.

  • Invest in a password manager because it adds an extra layer of security and allows you to store several complex passwords.

  • If the website or service you use has two-factor authentication, consider using it. That becomes a robust security layer you can add for relatively less hassle.

Examples of Bad Passwords

Most people choose passwords that are less than ideal after creating new accounts on particular websites. Here are a few examples of bad passwords that increase your susceptibility to online attacks.

  • qqww1122

  • iloveyou

  • 123456

  • Million2

  • 111111

  • qwerty

  • 123456789

  • password

  • 1234567890

  • senha (Portuguese for password).

  • 000000

  • abc123

  • picture1

  • password1

Examples of Password Hacking Incidents

Florida Water Plant Attack

A hacker gained remote access in an attempt to poison the water supply of a water treatment plant in Florida, and a shared password may be to blame in this case. The unidentified attacker exploited TeamViewer, a program that governments and entities can install on a PC to view a machine's desktop screen remotely over the internet. It also allowed them to control the mouse cursor.

The attack happened after the installation of TeamViewer on several computers by employees to help them manage the water treatment plant in Florida. The problem is that all computers in the facility shared the same password for remote access at that point. Additionally, the connection of those computers to the internet is without a firewall. Also, the operating system they were running on was a 32-bit version of Windows 7.

This Windows version no longer received security updates, although enterprise customers with extended life support are an exception in this case. That explained why the hacker did not have difficulties breaching the facility's systems.

Spotify Hack

The leveraging of login credentials and individual records to break into thousands of Spotify accounts lead to discovering an unsecured internet-facing database with sensitive details belonging to millions of individuals. The information that suffered the online attack comprises details like the countries of residence, usernames, email addresses, and passwords of various persons.

At the time, Spotify was storing data for various clients in an unsecured Elasticsearch server that vpnMentor uncovered. Later on, Spotify confirmed that hackers used the company's data to defraud it and its users, but the origin and owners of the database responsible for the attack remain unknown to date.

How To Know If My Password Is Compromised Or Stolen

Today, our lives are increasingly interconnected, making passwords a necessity, yet, they can also become your online security's weak link. Also, it is shocking to discover that over 44 million Microsoft account holders use recycled passwords.

That kind of credential duplication opens the door for hackers to use one known, stolen password against multiple accounts, making the possibility of gaining access to some of them is relatively high. So, how do you know if your password is stolen or compromised? Here is what you can do.

Although you can use any of the options above, there is no surefire method to know if your password is compromised. So, you should prioritize keeping your passwords secure and unique.

Password Security Tips

1. Educate Your Employees

Every employee requires some level of cybersecurity training to learn the basics of company information protection. Conducting regular security training allows your workers to remain aware of current online threats and gain insight into guarding against the same.

2. Use Complex Passwords

The weakest link within your firm when it comes to online security is your employees. For that reason, you should emphasize the need to use complex passwords. Here are a few tips for creating strong passwords.

  • Play with your keyboard by adding emoticons to your passwords. You can also use commonly allowed symbols like &, %, $, !, #, among others.

  • Use a phrase and incorporate acronyms or shortcut codes.

  • Consider using passwords with common elements, but customize them to particular websites. For instance, you can use Pwrd4Acct-$$ (Password for account at the bank) or ABT2_uz_AMZ! (About to use Amazon).

3. Use A Password Manager

Suppose you want to avoid the hustle of remembering all your passwords, writing them down, or the risk of storing them in an insecure location. If that is so, you should consider acquiring a password manager. The tool acts as a password vault that keeps login credentials securely and that can improve your company's password security.

What Is A Password Manager?

Creating passwords is always an issue for most individuals, and that is why some of them prefer using the same password on various occasions. That may be an option, but it leaves a security gap that hackers can explore in a bid to derail your company operations. That is why investing in a password manager is advisable.

A password manager is a program that allows you to generate and store all your passwords in a secure location. You can also keep secure notes as well as credit card information in the program. Additionally, instead of using your master password, a password manager can allow you to use biometric data.

Sharing certain information with your friends and family members without copy-pasting it into an instant message or email is also possible when you have a password manager.

How Do Password Managers Work?

There are different categories of password managers, and below are details on a few of them to help you understand how they work.

Stateless or Token-Based Password Managers

In this case, the key for unlocking your specific account is in a local piece of hardware like a flash drive. Also, a password vault is nonexistent since stateless or token-based password managers generate them afresh whenever you log in. Using your master password in addition to the token is a wise idea since you will be implementing two-factor authentication by doing so.

A token-based or stateless password manager stores your passwords nowhere, does not require synchronization and is usually free and open-source.

Pros

  • The storage of your credentials is in a separate device.

Cons

  • Investing in proprietary software and hardware is inevitable when you opt for a stateless or token-based password manager.

  • Losing your device means that you will lose your access.

Locally Installed or Offline Password Managers

A locally installed or offline password manager stores your data on your device. That can be a smartphone or computer, depending on what you prefer. Your passwords will be in an encrypted file, separate from the password manager. Some varieties of this password manager allow you to store each password in a separate file, thereby increasing your overall security.

Note that to access your offline vault, in this case, you need a master password, and using offline password managers on multiple devices can be challenging.

Pros

  • Locally installed or offline password managers are free.

  • Reduce the probability of intruders breaching your vault.

Cons

  • In case you lose your device, you lose your vault.

  • When accessing your vault, you can only use one device.

Benefits of Using A Password Manager

  • It incorporates two-factor authentication to strengthen your online security.

  • Allows you to generate passwords, thereby saving on time.

  • Provides cross-platform support, which means that you can use it on different platforms, including smartphone apps and web browsers.

  • Eases the process of administering all your logins.

  • Promotes secure password sharing.

  • You can auto-fill passwords and other recurring details on most password managers, withdrawing the need for typing.

Cybercrime continues to threaten the survival of most businesses. As such, pitching in to make the web a more secure place overall is not an option, and it all starts by adopting good password habits.

As the world continues to navigate the complexities of remote and hybrid workforces, Electric is here to support your organization. Electric can keep your business moving with Electric's chat-based, lightning-fast IT support. Send us your requests and we'll handle the rest, so you can get back to work.


Stay up to date

Subscribe to the blog to stay up to date with all the latest industry news and updates from Electric.