It is common knowledge that passwords should be changed on a regular basis but there is much confusion about how often they should be changed.
In addressing the question ‘how often should administrators and network users be required to change their password?’ there are a few things that we should consider. For those managing cybersecurity for a large company, network security must be considered along with meeting the requirements of regulations such as SOX, HIPAA, and the GDPR. Policies must also be set that are easy for employees to follow.
Most staff members will not give a second thought about password management as they will only be concerned about their work duties and disregard the threat of cyberattacks. They want to make their lives easier and setting complex passwords, regularly changing them, and following password security best practices is viewed as an inconvenience. oftentimes, shortcuts are taken, such as just adding a single letter or number to a previous password, or recycling old passwords.
These issues can largely be solved by investing in a strong and reliable password manager and configuring it to ensure that password best practices are followed by everyone in the organization.
Password Best Practices Explained
- Invest in a password manager: A premium password manager will provide extra security measures like dark web monitoring, password generators, and more. It will allow for ongoing password changes and take a lot of the work away from staff and managers.
- Complete password audits: Make sure the same passwords are not in place across different platforms by conducting an audit. Never use personal information in your passwords, such as names, pets, birthdays, anniversaries, addresses, or Social Security details. The best practice is to use a range of letters, numbers, and symbols or unconnected words to make passphrases. Ensure that you change all default, weak, recycled, and potentially compromised passwords.
- Doublecheck passwords for sensitive accounts: Be 100% certain that financial accounts have very strong passwords.
- Enable multi-factor authentication: This is crucial for sensitive accounts and should be enabled on all platforms where possible.
- Plan for password management: Assign time for updating and auditing passwords regularly throughout the year.
With all of this in mind, it is now time to consider the regularity with which you should change passwords.
When Should You Change Your Password?
- When there is suspicion of unauthorized account access: As soon as you think a password may have been compromised the password should be changed immediately.
- Following a security breach: It is essential for you to safeguard your data and prevent any further unauthorized access.
- When malware is discovered on your device: Following discovery of a virus or malware, you should change your passwords as quickly as possible.
- After using public access network: Using an unsecured network to access your accounts is a risky and can result in password theft. If you find yourself in a situation where you need to do this, ensure you use a VPN. if you can’t, change your password afterwards when on a secure network.
- Following shared access: Should you sharing access to an account with another person, change your password as soon as possible afterwards.
- After a period of no use: Even if you’re not using an account you should still change passwords regularly.
- How regularly should users be forced to change their passwords? The best practice used to be to change passwords every 90 days, but this is no longer recommended by the National Institute of Standards and Technology (NIST). If you use a password manager and create very strong passwords for your accounts, you do not have to change passwords so frequently. You should also ensure that multi-factor authentication is enabled.