• Skip to primary navigation
  • Skip to main content
  • Skip to footer
Boost IT

Boost IT

Managed IT Services, Cybersecurity, & Cloud

  • SERVICES & SOLUTIONS
    • IT MANAGEMENT >
      • Take an IT Self-Assessment
      • IT Assessment
      • 24/7 Help Desk Support
      • Managed IT Support
      • Mobile Workforce
      • Software Updates
      • Remote Server Monitoring
      • Wi-Fi
    • IT SECURITY >
      • Take a Cybersecurity Self-Assessment
      • Cybersecurity Assessment
      • Endpoint Detection & Response
      • Multi-Factor Authentication (MFA / 2FA)
      • Security Operations Center (SOC) Support
      • HeatShield Perimeter Firewall
    • IT CONSULTING >
      • IT Insight & Ongoing Guidance
      • vCIO – Virtual CIO
    • CLOUD >
      • Data Backup & Disaster Recovery
      • Microsoft Office 365 & E-mail
      • Cloud File-Sharing Platform
      • Business Phone System
    • Frequently Asked Questions
  • OUR CLIENTS
    • Engineering
    • Financial Services
    • Healthcare
    • Real Estate Development
    • Projects
    • Testimonials
    • Transition to Boost IT
  • OUR TEAM
    • One IT Question
    • Our Proven Process
    • Our Partners
  • BLOG
  • CONTACT
    • Book a Meeting
    • Client Portal
    • Remote Support
You are here: Home / Cyber Security / Should You Regularly Change Your Password

Should You Regularly Change Your Password

October 25, 2016 by Boost IT

How to Create a Strong Password

Changing your password might not be providing as much security as experts thought. Hackers are regularly trying to access your company’s data to get financial information and for identity theft. Requiring your employees to have strong passwords makes it difficult for hackers to get at your accounts. But how often you require them to change might actually be hurting your security.

The evidence suggests it is time to rethink mandatory password changes.

Avoid a Change that is Less Secure.

Changing passwords frequently could be making your system less secure. There is a lot of evidence that suggests people who change passwords on a frequent basis, such as every three to six months, choose weaker passwords. The problem is that, according to FTC Chief Technologist and Carnegie Mellon computer science professor Lorrie Cranor (article), when people have to change their password frequently they become predictable. It’s like clockwork. They don’t put a lot of mental thought into it. Instead, their transformations may be simple and methodical. They might increase a number. They might change a letter to a symbol that looks similar, such as changing an S to a $. They might add or delete a special character. Or they might switch the order of digits or special characters, such as moving the numbers to the beginning instead of the end.

If this sounds like what you do, you are not alone. You want a password that you can remember. However, since hackers are able to guess your predictable ways, you could actually be making it less secure. Today, hackers who have access to the hashed password file can use offline attacks or guess large numbers of passwords. Depending on the system’s policies, they will continue to guess every possible combination until they get access. And at some point, if they don’t get access they might start the process over. So how will frequent changes deter them?

Choose Strength Over Frequency.

If the password is strong to begin with, some experts wonder why we should have to change it every 60 to 90 days. Your purpose should be about getting the strongest passwords instead of worrying about the time between changing them. By waiting longer periods before requiring changes, people are not as frustrated with the continuum of change and are more likely to think about stronger passwords.

There are still good reasons to change passwords. According to the Federal Trade Commission, a company should do their own assessment of their security and determine if there is a need to change passwords and how frequently. Mandated password changes should continue to be a security practice designed to periodically lock out unauthorized users who have learned users’ passwords. If you have reason to suspect someone has gotten passwords from your employees, such as with the recent Yahoo hack, change them immediately. If you think your employees have weak passwords, then have them change it.

Assess the need and emphasize strength. Consider changing your password policy that encourages stronger passwords, longer lengths, limited login attempts and multi-factor authentication, especially if your organization maintains sensitive data.

Also realize that if a hacker has gotten a password they are often able to guess a change fairly easily, especially if it is predictable. And if they have already been able to access a user’s account, they may still gain access through software that spies on the user, through a key logger, or through another malware that they may have installed. Therefore, you will need to look closely at your security.

Boost IT can help you assess your security and improve your employee’s password strength. For more information, contact us at 404-865-1289 or info@boostitco.com.

Filed Under: Cyber Security Tagged With: change your password, Hackers, mandatory password changes

Connect With Us

  • Facebook
  • Instagram
  • LinkedIn
  • YouTube

Footer

Next Steps

Start with the SOLUTIONS menu above.

Take an IT Self-Assessment.

Take a Cybersecurity Self-Assessment.

Read Case Studies about how we’ve helped our clients transform their companies.

View Testimonials from current clients.

Review some of our Projects.

Featured Posts

How To Choose a New Laptop

How To Create a Shared Calendar in Outlook & Microsoft 365

17 New Cyber Liability Insurance Questions Your Provider Will Ask

Atlanta Real Estate Firm Gets Ransomware

Why Hackers Target Small Businesses

Cloud File Sync and Share Provides Speed and Efficiency

Office Location

© 2000–2023 · Boost IT, LLC · Coverage Area

  • SERVICES & SOLUTIONS
  • OUR CLIENTS
  • OUR TEAM
  • BLOG
  • CONTACT