Changing your passwords: clearing up the confusion

When it comes to changing your passwords, just how often is often enough but still not so often that it undermines security? In a recent tweet, Jason Harris brought up the confusing and often conflicting advice of changing passwords. The response doesn’t fit into 140 characters, so we took to our blog to cover the basics. I had a lot of feedback about recommending changing passwords regularly. Opinions differ on this one very small aspect of security #chatstc

The short answer is:

  • changing a bad password for a bad password doesn’t really help you,
  • changing an OK password for a worse password is bad, too,


  • changing a strong password for a strong password is good.

It’s not the frequency of the change that’s bad, it’s the password that comes out the other end that’s the problem.

Here’s the deal: for years – since the 90’s, at least – IT departments everywhere set their systems to require a password change every month. The logic behind this was generally two-fold:

  • constantly changing passwords would be a moving target that would be harder for the bad guys to hit, and
  • poor or hacked passwords would be pushed from the system quickly.

Of course, the requirement to change your password included the rules that had to be followed. Back in the day – remember, this was the 90’s, the decade of grunge, fanny packs and mullets – this was typically along the lines of 8 character minimum, include a least one uppercase letter, at least one lowercase letter, and a digit (0-9) and/or a punctuation point – and you’re not allowed to reuse a password within a 12 month window.

What an awesome plan!

Actually, it’s not such a bad idea, but the result ends up being like so many of the best laid plans of mice and men…

Patterns get us into trouble.

The problem – discovered after these past couple of decades – isn’t a technology problem. As often happens, it’s a problem of human nature. A recent study by KoreLogic shows that the requirements to change our passwords in this way results in people defaulting to patterns. And the patterns are known to bad guys who can then exploit then for personal gain and profit.

To see how this works, we’ll start by pointing out that humans are amazing creatures that will do anything to make things easy for themselves. This drives innovation (e.g. the wheel!), but it also leads to bad habits – at least as far as password security is concerned.

Given the password rules given above, let’s say you entered password August1! as your password at the beginning of the month. It’s easy to remember and it meets all the rules – high five to you! But, within that one password, we see several patterns at play:

  • we tend to use capital letters at the beginning of words/strings (blame elementary school for this)
  • we tend to put numbers and punctuation at the end of strings (again, blame elementary school for this)
  • of the standard 15, or so, punctuation keys on the keyboard, ! and ? are by far the most popular (humans tend to be lazy and not very original)
  • meaningful strings are easier to remember than random strings (think spelling tests in school) e.g. the current month, the name of the company, the word ‘password’, the local sports team…

All of a sudden, instead of having 1.67 x 10^15 possibilities of truly random variables for those 8 spaces, we’ve undercut corporate security by a factor of 6 down to 1.36 x 10^9. In today’s computing terms that’s a huge difference for a hacker: hours instead of weeks or months. And that’s not even going into dictionary attacks for variations of August!

The problem is that bad guys have figured out that lots of people fall into these patterns. As the study revealed so nicely, the number of people falling into identifiable patterns with their passwords is high enough that the bad guys basically don’t even have to try to crack the hard passwords.

THAT’s the problem with changing passwords frequently.

The problem we’re faced with in the media now is that this has been oversimplified to don’t change passwords.

The takeaway – please do change your passwords:

  • after a data breach of a company where you have an account (whether you hear about it publicly, or get contacted by the company itself)
  • whenever you come across an account that has a password that is shorter than 12 characters (yes, use 12 or 15 as the new minimum length) or is just a bad password (Sn00py3? is a good example of a bad password)
  • whenever you feel a change is necessary.

The point is to change to a strong password. A password generator like the one built-in to Sticky Password is great for creating strong passwords and storing them for you, too!