It’s been a few years (2019) since Microsoft came out with its recommendation that mandatory password changing is obsolete, and yet this remains a controversial topic.
The problem with regular password changes is less about technology and more about human nature. When users are prompted — or, in some cases, required — to change passwords regularly, one of two things (sometimes both) happens:
They hardly change them at all. A password like “Mycr0sawft#1” becomes “Mycr0sawft#2,” a common modification that is easily discovered by any hacker who gains access to the original.
They keep them simple. The more frequently a password needs to be changed, the more likely a user is to keep it simple so that it’s easier to remember. Passwords that never change, on the other hand, tend to be longer and more complicated.
We agree with Microsoft’s position, coupled with the following recommendations:
#1. Use a very complicated password in combination with a commercial Password Manager, such as RoboForm. RoboForm includes a password generator, so you don’t have to think of it yourself. It then saves the password for you, so you don’t have to remember it.
Further, tools such as RoboForm allow you to securely store your passwords in the cloud, allowing you to easily access them from multiple devices (computer, phone, tablet, etc.).
#2. Enable two-factor authentication. Even if a bad actor is able to access your password, this additional layer of protection significantly limits their ability to gain access. All critical applications, such as banking, email, and Social Media, support two-factor authentication.
#3. In the event of a breach, absolutely, change passwords immediately. Otherwise, there is no need and the costs can outweigh the benefits!