While there is no hard and fast rule, experts agree that it is best practice to change your passwords every 90 days. Yup, every 90. If the very thought of going through each and every one of your 127 passwords and updating them every 90 days makes you want to click off this article - don’t.
With a little knowledge, this tedious task can be made easier and safer. We’ll also share why it’s an essential part of securing your accounts and that it's:
- Worth your time, and
- Not as overwhelming as it seems if you’re using the right tools
Aside from learning to spot social engineering attacks, regularly changing your passwords is one of the easiest actions you can take to minimize the probability of being hacked.
[Table of Contents]
- Why should I Change My Password?
- Special Occurrences That Should Prompt a Password Change
- How to change your passwords
- What is a password manager?
Why Should I Change My Password?
Does changing my password really make a difference?
Statistics from 2019 found that over 1 million passwords are stolen every week, and that number has only increased during the pandemic. Today, there are over 24 billion username and password combinations available on the dark web.
Changing your passwords absolutely makes a difference in keeping your accounts safe, provided they’re strong. Some stolen passwords are exploited right away, but others are leveraged months later. Changing your password could foil months of a cybercriminal’s work, which may lead to them focusing their attention on lower-hanging fruit.
Are my accounts more secure the more I change my password?
Yes, and no. Provided you are using randomly generated or unique passwords of 12+ characters with symbols and numbers, then updating your most valuable accounts frequently absolutely keeps your accounts more secure.
Frequent, scheduled password changes are only an issue when the task is thrust upon an uneducated employee who hasn’t been given the right tools for the job.
Most software solutions that mandate frequent password changes are rendered virtually useless by not giving the user the proper tools. People feel annoyed at being forced to change and memorize a new password, and often game the system, first adding a 1, then a !, then a 2 etc. I was certainly guilty of this at past jobs.
Requiring people to change their passwords without providing a password manager (more on this below) irritates people and does little to bolster your company’s security.
Cybersecurity exists on a spectrum: convenient and frictionless on one end, and security on the other. In a perfect world you would change your password every day, but the cost/benefit analysis buckles when you realize that a program like TeamViewer can get hacked, rendering a simple security measure such as a password useless.
Ultimately, a combination of new, complex passwords and a second authentication factor is the best we can do.
If your systems require the best available security, look into hardware keys such as Yubico, Google Titan, and Thetis.
Special Occurrences That Should Prompt a Password Change
In the realm of cybersecurity, certain events or circumstances necessitate an immediate password change to maintain the integrity of your accounts and sensitive information. Here are some scenarios that should prompt you to update your passwords:
1. Known Password Breach
If a service or platform you use has experienced a data breach, especially one involving user passwords, you should change your password for that account immediately. Breached passwords can be exposed to hackers, who might attempt to use them across multiple platforms.
2. Reused Passwords Across Accounts
If you've been using the same password for multiple accounts and one of those accounts becomes compromised, it's essential to change the password for all other accounts using the same credential. Cybercriminals often try credentials obtained from one breach on various platforms.
3. Sharing Passwords with Others
If you've shared a password with someone and their access is no longer necessary, change the password. Even if you trust the person, their device might be compromised or stolen, potentially leading to unauthorized access.
4. Employee Departure or Role Changes
In a business context, when an employee leaves the organization or changes roles, change their account passwords immediately. This prevents former employees from accessing sensitive data and systems, reducing the risk of insider threats.
5. Suspicious Account Activity
If you notice unfamiliar activity in your account, such as unauthorized logins, emails you didn't send, or changes to your account settings, it's a strong indication of a potential compromise. Change your password and review your account security settings.
6. No Longer Using an Account
If you've stopped using an account or service, it's best practice to change the password and then deactivate or delete the account altogether. Dormant accounts can be targeted by attackers, and maintaining unnecessary accounts increases your risk exposure.
7. Loss or Theft of Device
If you've lost a device (such as a smartphone or laptop) or it's been stolen, change the passwords for all accounts accessible from that device. This prevents unauthorized access by whoever gains possession of the device.
8. Updated Security Practices by the Service Provider
If the service provider or platform you use announces security improvements, such as implementing stronger encryption or enhanced authentication methods, consider changing your password to align with these enhanced security measures.
9. Phishing or Social Engineering Attacks
If you suspect that you've fallen victim to a phishing attack or have inadvertently shared your password through social engineering tactics, change your password immediately to prevent unauthorized access.
How to change your passwords
The most common reason people cite for not wanting to change passwords is the time required. It’s a manual process, and right now, there’s no way around that. But if you're not using a password manager, your vision of what the process looks like may be needlessly convoluted.
The unknown can be scary.
With a password manager, updating passwords is as simple as:
- Navigate to the “change password” page of your account settings
- Click your browser extension. The extension will most likely have pulled up the appropriate record, but if not simply search for it
- Click “edit” in your password manager on the account you’re updating
- Use the Password Generator to create a new, strong password
- Save the password in your manager and on your account
Change your passwords with a movie or music in the background! There’s no reason it has to be all boring.
How to make strong passwords
If the account you’re using allows for symbols, then generating a long, random string of symbols, digits, and letters is the easiest and safest option.
If you need to remember the password, try creating a passphrase. Passphrases are strings of words, with a few symbol and number substitutions, that are easy to remember but hard to guess. Part of the reason passphrases are effective is that when it comes to password strength, longer is better. Don’t use song lyrics, lines from poems, or anything that can be found in a Google search.
What are bad passwords?
Every year, a few websites take the time to bemoan the state of password management by compiling the worst passwords of the year. The list typically looks much the same. These passwords can be cracked in less than a second by modern software, yet continue to be widely used.
Avoiding bad passwords is mostly common sense. If you use a password generator or take the time to create a 14+ character passphrase, you’re probably good. The key is to avoid patterns and personal information.
If someone is choosing to target you, they will scour the internet and social media for personal information. Pet’s names, birthdays, your first car…it’s hard to remember everything you’ve ever said on the internet. We recommend avoiding such personal information when building your password.
Here are a few that always make the worst passwords list:
What is a password manager?
So far, I’ve asseverated that a password manager is a critical tool in your mission for effective password hygiene. But what is its purpose?
In its most basic form, a password manager is a single vault that stores unique passwords for all your accounts. The benefit is that you only need to remember one master password to access the vault.
A good vault such as TeamPassword uses Client-Side Encryption, which means that even TeamPassword employees, or anyone with access to TeamPassword’s database, cannot see your passwords. They also feature AES 256-bit encryption and security accreditations such as ISO 27001, SOC 1 and SOC 2, SSAE 16 and ISAE 3402.
The best vaults allow users to share passwords with team members - be they friends, family, or colleagues. With organizational tools like groups and different user settings, you can control who sees what without exposing your data.
Should I let my browser save my passwords?
While Chrome is working to make its password manager more secure, it does not provide enterprise level security or secure sharing.
Chrome is designed to be the most convenient browser on the market, and it succeeds. But if your Google account is breached, your passwords will be revealed. Most of us sync our Chrome profiles so that we can access bookmarks from anywhere. This works against us if one of our devices is stolen.
I won’t claim that a real password manager is as convenient as letting your browser handle everything. As I said above, cybersecurity is often a tradeoff between easy and secure. However, if you need to share passwords with team members or family, then Chrome is definitely not the appropriate tool. A dedicated password manager built for sharing is both easier to use and safer.
Here's a guide on disabling your Chrome password manager.
How does a password manager work?
Let’s start with what a password manager is not.
- Not a magical tool that automatically updates all your account passwords without you lifting a finger.
- Does not guarantee that you’ll never be locked out of an account again - you could accidentally save different passwords between your password manager and the account you’re trying to manage.
- Does not replace account settings or have administrative control over your accounts. That is, just changing your Instagram password in your password manager does not actually change your Instagram password. You still need to go to your Instagram account settings and make the change there.
What does it do?
By storing your sensitive credentials in a host-proof and locally encrypted vault, a password manager stores complex passwords for all your accounts while only requiring you to remember the master password that accesses your vault. Team plans let you safely share account credentials with your team without the credentials leaving an encrypted environment.
Is TeamPassword a good password manager?
TeamPassword is one of the best - especially for sharing passwords on teams.
TeamPassword exists so teams can effortlessly access the credentials they need…and only the credentials they need. Here are a few of the features that make this possible:
- Unlimited number of completely customizable groups such as Marketing, HR, and Billing
- Records can be part of multiple groups
- Admins grant or revoke access to each group with the click of a button
TeamPassword is designed so that your team will actually use it. The interface is simple and only shows you what you need. We integrate with Google SSO for seamless login into your vault.
We offer a mobile app and extension so your records are accessible everywhere, all the time.
If you’re looking for an affordable, easy-breezy to set-up password manager for your team, please sign up for our free trial and let us know what you think.