Change Your Password Day was established in 2012 and has been celebrated annually since then. But what might’ve seemed like a good idea back then is somewhat outdated in 2019. That’s why we’re proposing a change: Strong Password Day.
Changing passwords regularly doesn’t help
A decade ago, it was common security practice to change passwords regularly. Nowadays we know that’s not particularly effective, because the password problem is twofold. First, for effective protection, passwords have to be hard to guess. Second, to be usable, passwords have to be easy to remember. Changing passwords regularly does have some positive impact on the first part, but it drastically complicates the second.
The problem really stems from the fact that we, as humans, don’t like to remember long, complicated passwords; we’re not machines. So, we do what comes naturally — we cheat. When we are forced to change a password, we make small changes in existing passwords, instead of creating a brand new one. To illustrate the point, let’s take the password “batman2018.” Most of us, if asked to change this, would probably just change it to “batman2019.” That way, the system will see a different password, but it’s essentially the same — and crucially, if the old password gets compromised, it doesn’t take a genius to guess the new one.
TL;DR: Changing passwords regularly doesn’t really work. It’s a much better idea to use strong and, more important, unique passwords. Now, let’s talk a little bit about uniqueness.
Why passwords have to be unique
It may seem like a good idea to come up with one really strong password and use it for all your accounts. This way, the accounts are well protected and it’s quite easy to remember just one password, even if it’s a complex one — win-win, right? In a perfect world, maybe. Unfortunately, in our world, data leaks happen regularly and passwords get compromised. If you are using the same password for all accounts, just one leak means that all your accounts could be compromised. In other words, it’s not a two-birds-with-one-stone situation, but rather an all-eggs-in-one-basket one.
What makes a strong password
What should a password look like to be considered strong? The answer is a bit complicated (think math), but in a nutshell it all comes to just two properties. The first one is the set of characters used in a password: diversity strengthens passwords. And the second one is length: the longer, the better.
The good news is that these properties compensate for each other. If you struggle to remember nonalphanumeric symbols — #, %, &, and so forth — you can simply make your password several characters longer instead.
One more thing: A strong password doesn’t have to be random. I mean, randomness is nice for security, but it’s a pain to remember random passwords. Again, you can compensate with length — make your passwords at the very least a dozen characters long, preferably even longer.
Strong and unique passwords that are easy to remember
With that said, remembering strong and unique passwords can be much easier than you think. You just need to know how to do it right. Our Global Research and Analysis Team member David Jacoby explains it in terms we can all understand — he even gives you a good example on how to come up with your own password system, which will make forgetting passwords a thing of the past. You can check out his password ideas in this post or watch the video.
And finally, here are two more tips to help you lock-down your accounts even further: First, enable two-factor authentication for all your accounts, and second, use a password manager as a backup plan.