Index ¦ Archives ¦ Atom

How often should you change your password?

There was an article recently based on a 2010 study that suggested that frequent password changes actually negatively impact security.

I agree with the article but feel that some of the commentary could be a little more nuanced. The thrust of the article is that forcing regular password changes irritates users and they turn to patterns like adding a number on the end and just incrementing it. I've seen my share of users who will happily announce to the world that their password is 'August2016' without being asked.

If MySpace forced passwords to expire every 30 days and you found 'March2008' in the recent MySpace breach, it wouldn't take a genius to work out what was next.

On the other hand, occasional password changes do have their place. Should MySpace wait until there is public evidence of a breach to force a reset? What about other organisations like Facebook and Netflix who reset passwords of users because they had reused passwords their MySpace password? There are a lot of ifs here;

  • If MySpace had used a secure hash like PBKDF2 or bcrypt then all but the weakest of passwords would be secure and;
  • If users picked passwords with a significant amount of entropy they wouldn't be cracked even if MySpace just used md5 and;
  • If users didn't reuse passwords across sites it wouldn't be an issue for other site anyway and;
  • If ...

Our natural response as security professionals is to try to force people to use good password hygiene so we resort to things like password expiry dates and complexity requirements that actually restrict the number of available passwords.

We should look at ways to encourage good password hygiene, sign up forms can offer the option to generate a password1 and a button to copy it into the clipboard so users can use a password manager. Maybe organisations should include tools like KeePass as part of the standard operating environment and make them available on all desktops.

In the future we need to move to things like two factor authentication with a hardware device and reduce our reliance on passwords.


  1. My preferred method of generating passwords is dd if=/dev/random bs=1 count=18 2>/dev/null | base64. I haven't looked into this at all, but I'm sure there would be a secure way to do the equivalent of that in client side JavaScript. 

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.