Is changing your password periodically a good idea?

Liscio Blog

Periodically changing your password is no longer a good idea according to NIST.

In order to keep your online information safe, the smart thing is changing your password periodically, right? Well, not according to the security gurus at the National Institute of Standards and Technology (NIST).

Changing your password frequently can do more harm than good for the simple fact that we can’t remember them. With special character requirements and length restrictions, creating a memorable string of letters and numbers every thirty days is nearly impossible. So when we’re prompted to change our passwords, what’s the next logical step we take to remember them? We write them down.

Not only is writing down a password equivalent to leaving a welcome mat out for your sensitive information, if you’re in a work environment, it’s likely against company policy. Leaving a password paper trail could leave you vulnerable to both security and company consequences (and possibly a few laughs from IT).

People aren’t built to remember multiple complex passwords. As a result, we tend to use the same password for everything. This leaves us with one vulnerable code protecting everything from bank information to healthcare records and photos.

While the NIST by no means suggests weakening password requirements, the research group does argue that the practices we use to remember our constantly changing passwords (i.e., writing them down and using the same password for everything) are counterproductive. Instead of requiring users to consistently update their password, the NIST suggests rethinking how we log in altogether.

A password manager, for example, acts as a vault to save and store passwords. Its contents can only be accessed by a master password. If the master password is compromised, the contents inside are protected by encryption, appearing as scrambled characters to an outside intruder. Multi-step verification, on the other hand, allows you to confirm your identity with a secondary password (like a temporary code sent to your phone or tablet). According to the NIST, these access alternatives provide a safe and practical authentication process that reinforces the purpose of passwords: security.

Whether you agree with the NIST or not, at the end of the day, how you keep your information safe is up to you. In an age of evolving online threats, avoiding attacks requires the right tools and a mindful guard up. Best practices combined with security-focused platforms like Liscio, with secure messaging, file sharing, and multi-factor authentication will help you build the best defense.