Here’s why a regular password change is nonsense
The average German Internet user has 25 online accounts.
For this article, I counted my accounts—just for fun: I came up with 37 online accounts with associated passwords. Alone as a private user. For corporate applications and various online portals that I use professionally as a marketing manager, there are certainly as many again. I really wonder who is dragging down my average like this …. You probably don’t, or you wouldn’t be reading this blog.
And for each of these accounts I need—you need—credentials, in the vast majority of cases a username and password.
And let’s be honest: Can you remember these access data?—I am happy if I know which user name I have assigned or which e-mail I have entered during registration. Before I switched to our password manager DoubleClue at HWS, this knowledge was extremely relevant for me, because I had to remember my password without technical help. That’s why I had to hit the “forgot password”-button every time—and I mean every time!—I logged into an account. Of course, that can’t be the point of having passwords.
The only exception was the password to my main email address, which I then carelessly kept for several years for logistical reasons.
Carelessly? Considering that the German Federal Office for Information Security (BSI) has still called for all passwords to be changed regularly until 2020, one would have to say yes. For that, I diligently ignored the “change-your-password” day celebrated on February 1. Why not? Chances were very high that after changing the password of this email address, I would not have been able to get into any of my accounts afterward.
At the same time, I don’t think I was careless with this long-standing and trusted password of my email address. Because this was the only one I had invested time in while I created it: long, complex, with special characters, numbers, upper and lower case, no direct reference to my person. The full program.
Changing passwords regularly leads to frustration and tempts to insecure passwords
When I look at my other—at that time—36 passwords (probably a few less), it looked different. It was mostly a relatively similar combination of one word and with a—probably—different ending. I can’t say that exactly, because as I said: I changed my passwords very often. But this did not make them more secure: on the contrary.
My experience that the frequent change of access data leads to an insecure mishmash of easily crackable or then also guessable passwords is proven by various studies. The more passwords we have to remember, the easier they become. After all, who wants to sit frustrated in front of the PC every time because the log-in didn’t work (again)?
In addition, we are usually quite unimaginative when it comes to assigning passwords: after all, we have to and want to remember them. And I’m not talking about the classics 123456, qwerty, Passw0rd, etc., but also about—supposedly—individual passwords: Pet1!, also in the variation Pet2!, etc. The more often we change our passwords—the more thinking power we need to remember them—the more insecure and similar our passwords become. And that ruins the whole approach of protecting our online identity in the best possible way.
That’s why the BSI now advises against changing passwords regularly. Because there are better options for truly secure access data.
Long, complex, and unique access data is better than a regular password change
The most important security measures are strong and unique passwords. For the security, it depends—attention!—on the length of the password: Because the longer a password is, the more time software needs to crack it automatically. Just to give you an order of magnitude: With special characters, a software brute-force attack for an eight-character password takes just under 8 hours. That is one working day. And we all know: That can take a while, but in the end, it’s over quickly.
But it’s not just the length of a password that’s crucial: there’s also the issue with our lack of imagination: coming up with an individual password for 37+ log-ins is quite a challenge. For all those who still want to create their passwords themselves, there are tricks like “Use the first sentence of your favorite book and take the first letters as your password” or “Use three random words and combine special characters in this phrase” if necessary. However, all of this is of limited help with the sheer volume of credentials.
Fortunately, there are various technical solutions for this. At datenschutz.org, for example, you can easily generate secure passwords according to current security standards. But how do you remember these complex passwords? I’ll come to that in a moment.
Two-factor authentication: Because two barriers are stronger than one
For now, it’s worth noting that there’s a simple technical way to make log-ins more secure. Many services, including various social media platforms, PayPal, Google, Windows, etc., now offer so-called two-factor authentication (2-FA). In some cases, 2-FA is even mandatory to use the service. This second login hurdle—for example in the form of an SMS or push approval on the smartphone—makes even the lumpiest log-in more secure. Of course, no one should feel tempted to use 1234 as a password, but two-factor authentication still protects your account even if the password itself has been cracked. With these accesses, it is, therefore, possible again to create memorable and short—but also insecure—passwords.
Password managers are better at remembering passwords than we are
Speaking of password remembering. For me, it even starts before that: Exactly what online service do I have an account with? I’m sure if I didn’t have a list of my passwords, I wouldn’t be able to tell you the exact number of active online accounts I have. And I’m not even talking about linking these accounts to the correct credentials. I’m talking about the question: Where exactly am I on the Internet?
That’s why it’s good that technology takes the work off my hands here as well. And NO—no Excel list, no Word document on the desktop—What if my computer gets hacked?—or an analog piece of paper on the desk.
It makes more sense to have a password manager, where I can store access data and organize them thematically. There are various solutions on the market, but it makes sense to use those that can be synchronized across devices. After all, what’s the point of accessing the Deutsche Bahn app, for example, if you need a ticket on the road but the password is on your home PC?
Should we even change our passwords then?
With our modern tools, changing passwords is virtually unnecessary. Nowadays, the only things you should change regularly are toothbrushes and underpants. And maybe the comforter cover.
However, some situations speak for a timely password change: Because if there is a security-relevant reason, even the most secure password should be changed. This is the case, for example, if access data to an online network has been disclosed, by hacking into the provider’s systems. Or also if there is an overall GDPR-critical incident in this company. This does not necessarily mean that your access data is affected: But better safe than sorry.
Some password managers therefore already have a password health check integrated. This not only shows whether the password is strong and only used once but also whether there has been a data protection incident. There are also ways to check the quality of a password on the Internet. Sites such as Have I Been Pwned also search the (dark)web for exposed credentials and check for you whether your password is affected.
If changing your password regularly isn’t necessary, is the change-your-password tag still useful at all?
Yes—even if the name is certainly no longer correct today: Why don’t we use this day to make ourselves aware that our online identity should be well protected?
Even if we don’t have to change all our passwords right away, we should still question our passwords and accesses. Are there certain accounts that I have not used for a long period? Then I should close them if necessary. After all, an account that I do not own cannot be hacked. What about the health and integrity of the accounts I use? Might I need to take action here?
That’s why you use the change-your-password day to question your passwords. And, if necessary, to consider where and how you can store your passwords securely.