Should You Force Users To Change Passwords Periodically?

Posted on

Online sites and databases that require passwords are using increasingly complex forms to generate passwords that aren't easy to crack. However, this alone doesn't stop passwords from becoming compromised, and companies have started using additional tactics to try to protect accounts and identities. One of the tactics is to make users change their passwords every few months or so, whether they want to or not. This does have a big advantage, but it also has some factors that counter that advantage.

It May Not Result in the Security You'd Hoped For

When people are faced with having to change a password, they should use a unique one, but they don't always do that. It's common for people to use passwords that are variations on the one they're changing, or they'll use a password from a few years ago, and so on. Some people like to use password managers, but others want to feel more in control of their online life and continue to just memorize passwords for each site they use.

Unfortunately, using a variation on the current password makes the new one rather easy to crack. Using an old password increases the risk that they'll choose one that's been compromised in the past. Even if the old password has never been used on a particular site, if it was compromised, it's out there, and people may try it randomly to see if they can get lucky.

Plus, changing the password every few months is simply no guarantee against problems. Someone's identity could still be compromised. The chances may be smaller, yes, but they don't go away, so you shouldn't rely on this tactic as the only one you need once people have their passwords set. Two-factor authentication and other strategies are also necessary.

It Can Potentially Eliminate Compromised Passwords

The advantage to changing the password regularly, however, is that sometimes passwords are compromised and the person doesn't know. The reports haven't been made public yet, or the breach hasn't been discovered, and so on. These password changes can prevent problems by forcing the user to get rid of the password that was compromised, thereby thwarting problems early on, even if the user had no idea that a problem was brewing.

You may want to discuss password changes with an online identity management service to see what they advise. They may also have additional tactics you can use to protect users' identities.