How Often Should You Change Your Password? Research Shows It's Not As Often As You'd Think
Common wisdom holds that we're supposed to change computer passwords regularly, or else hackers may discover we've been alternating between the same two phrases since we were 12 and steal our identity (or discover how much we spend on Seamless every month). On the other hand, common wisdom is rarely accurate — so how often are you supposed to change your password in real life? According to a study by the University of North Carolina at Chapel Hill, the answer might not be as often as you think.
Researchers analyzed the passwords of more than 7,700 now-defunct accounts at UNC, which regularly requires users to create new passwords. Many forms of technology utilize this practice; the logic is that if you change your password frequently, anyone who gets unauthorized access to an account won't be able to maintain it for long unless they change the password themselves. In theory, expiring passwords make sense, but as researchers pointed out in their study, it's less effective when put to use, largely because people are super lazy.
According to the study, people don't change their passwords much when they expire. Instead, they "transform" them in small ways — enough to get past the security protocols, but not so much that a hacker couldn't figure out the new password with relative ease. For instance, someone might change a password from "Name1" to "Name2," then later to "Name3," and so on.
Needless to say, this rather defeats the purpose of changing a password in the first place. "Even our relatively modest study suggests that at least 41 percent of passwords can be broken offline from previous passwords for the same accounts in a matter of seconds, and five online password guesses in expectation suffices to break 17 percent of accounts," researchers concluded.
The study authors go on to suggest doing away with password expiration altogether, and they're not the only ones. In 2012, Lifehacker pointed out that many hackers today have hardware and software dedicated to cracking passwords, and they're probably going to take action as soon as they break into an account. While it's still important to change your passwords immediately after discovering a security breach, it's unlikely that changing your passwords every month is going to help much.
Instead, the consensus appears to be that users should be encouraged to create strong passwords that are more difficult to break in the first place. In fact, Perfect Passwords author Mark Burnett told Wired that he recommended changing a good password no more than every six months to a year.
So, to recap: Research suggests that changing your password every few months isn't helpful, and some say you can go as long as a year without having to memorize a new string of random letters and symbols. O happy day!
For Bustle conversations on everything from '90s nostalgia to being a woman online, check out our podcast, The Chat Room. You can find more on our Soundcloud page.
Images: Pexels, Giphy (3)