The Change Your Password Day was established in 2012 and has been celebrated annually since then. But what might’ve seemed as a good idea back then is somewhat outdated in 2019. That’s why we’re proposing to change it to Strong Password Day.
Changing passwords regularly doesn’t help
A decade ago, it used to be a common security practice to change passwords regularly. However, nowadays it’s not considered to be effective. Why is that? Well, when it comes to passwords, there are actually two parts to the problem. First, passwords have to be hard to guess to effectively protect the account they are used for, and second passwords have to be easy to remember in order for us to use them. Whilst changing passwords regularly does have some positive impact on the first part, it drastically complicates the second.
The problem really stems from the fact that we, as humans, don’t like to remember long, complicated passwords — we’re not machines. So, we do what comes naturally — we cheat. When we are forced to change a password, we make small changes in existing passwords, instead of creating a brand new one. To illustrate the point, let’s take the password ‘batman2018’. Most of us, if asked to change this, would probably just change it to ‘batman2019’ — the system sees a different password, but technically it’s the same and crucially, it wouldn’t take a genius to guess the new password, if the old one had been compromised.
TL;DR: Changing passwords regularly doesn’t really work. It’s a much better idea to use strong and, even more importantly, unique passwords. Now, let’s talk a little bit about uniqueness.
Why passwords have to be unique
It may seem like a good idea to come up with one really strong password and use it for all your accounts, this way the accounts are well protected and it’s quite easy to remember just one password, even if it’s a complex one — win-win, right? In a perfect world, this would be true. Unfortunately, we don’t live in a perfect world, and sadly data leaks happen regularly and passwords get compromised. If you are using the same password for all accounts, just one leak means that all your accounts could be compromised. In other words, it’s not a two-birds-with-one-stone situation, but rather an all-eggs-in-one-basket one.
What makes a strong password
What should a password look like in order for it to be considered ‘strong’? The answer is a bit complicated (think math), but in a nutshell it all comes to just two properties. The first one is a set of characters that are used in a password: diversity makes passwords less predictive and therefore stronger. And the second one is length: the longer, the better.
The good news is that these properties compensate for each other: if you are struggling to remember all the “#, % and &” stuff, you can simply make your password several characters longer instead.
One more thing: a strong password doesn’t have to be random. I mean, randomness is nice for security, but it’s a hell of a pain to remember random passwords. Again, you can compensate with length — make your passwords at the very least a dozen characters long, preferably even longer.
Strong and unique passwords that are easy to remember
With that said, remembering strong and unique passwords can be much easier than you think. You just need to know how to do it right. Our Global Research and Analysis Team member David Jacoby explains it in layman’s terms we can all understand — he even gives you a good example on how to come up with your own ‘password system’, which will make forgetting passwords a thing of the past. Read this post or watch the video.
And finally, here are two more tips which should help you lock-down your accounts even further: first, enable two-factor authentication for all your accounts, second, use a password manager as a backup plan.