February 1st is Change Your Password Day. While it’s not a holiday that gets you off work, it serves as a good opportunity each year to do a quick check-in and make sure you’re using strong passwords that will keep your accounts protected. The suggested ‘rule’ used to be to change your password every three months. Others say 6 months or annually. So when should you change your password?
Regularly changing passwords is a fundamental practice that serves as a preemptive measure against potential security breaches. But with tools like password managers, data encryption, and even more advanced tools like advanced detection and response and zero trust, experts now say that you only need to change your passwords once a year or when there is a known compromise. This does not mean you should NOT change it more often as more frequent password changes can make it more challenging for attackers to maintain access to your accounts over an extended time, but when other tools are implemented, the risks of password leaks are reduced.
Experts advise that the type of password you use is more important than how often you create a new one.
Make It Complex: Aim for complexity by combining uppercase and lowercase letters, numbers, and special characters. Avoid easily guessable information like birthdays, names, or common words. Do NOT use a variation of your current password. Cyber attackers often target known patterns and exploit outdated credentials. The more intricate and unique your password, the harder it is for hackers to crack it.
Longer Passwords Are Harder To Crack: Long passwords provide an added layer of security. Home Security Heroes used an AI password cracker to run through more than 15 million common passwords to find out how long it will take AI to crack your password in 2023. It took less than 6 minutes to crack ANY kind of 7-character password, even if it contained symbols. When creating a new password, aim for a minimum of 12 characters, and consider using passphrases—sequences of random words or a sentence—which can be both strong and easier to remember. A random passphrase would be something like: cogwheel-rosy-cathouse-jailbreak. This passphrase was generated from the website useapassphrase.com, which will auto-create a four-word passphrase for you if you’re stumped.
Use Unique Passwords For Each Account: Resisting the temptation to reuse passwords across multiple accounts is crucial. If one account is compromised, having unique passwords for other accounts ensures that the damage is contained. Consider using a reputable password manager to help you generate and store complex passwords securely. Some experts advise you NOT to use Google or your browser’s password manager. If your Google account is compromised, all of your passwords will be too.
Engage Multi-Factor Authentication (MFA): Implementing multi-factor authentication is another easy way to make your password bulletproof. MFA typically involves combining something you know (your password) with something you have (like a code sent to your phone). Even if your password is compromised, MFA significantly reduces the chances of unauthorized access.
Set Up Strong Password Recovery Alternatives: Leverage password recovery options like security questions or alternative e-mail addresses. It’s important to choose questions with answers that are not easily guessable or have publicly available information so “What’s your mother’s maiden name” is out!
Use Password Managers: You don’t have to try and remember every password, and you shouldn’t write them down on a sticky note on your desk. Instead, use a good password management tool that is secure and will handle keeping track of your passwords for you. Bonus points for turning off the auto-fill feature. Hackers can infiltrate sites and install a little bit of code on a page that creates a second, invisible password box. When your password manager auto-fills the login box, it will also fill in the invisible box, giving hackers your password. This isn’t overly common, but it still poses a risk.
Regularly Review Account Activity: Monitor your account activity for any suspicious logins or activities. Many online platforms offer features that notify you of login attempts from unfamiliar devices, allowing you to take swift action in the event of unauthorized access.
It’s important to remember that nothing is foolproof. Good password hygiene is just ONE of several building blocks you need to have a strong security posture. The right IT team will make sure you have every protection in place to keep you safe and a crisis management plan ready if something goes wrong. To find out what gaps you have in your cybersecurity system, we’ll do a FREE Cybersecurity Risk Assessment. Get started here.