Regular password changes have played their part

On January 20, 2010, PC celebrated for All Password change day for the first time. “We should change passwords at least once a year”, was the message and with a common deadline, users would not forget this chore. The password change day got a lot of attention and the correct date even appears when you google it.

A decade and a year later, the call for regular password changes is outdated. PC for All has instead used January 20 to reach out with broader surveys and security-focused articles. But the vignette “Password Change Day” has still survived. Until now, that is, when we wave a final goodbye. It simply sent the wrong signals.

For a couple of years now, security experts have been murmuring that we should not change passwords on a regular basis at all. Of course, it’s one thing if you know with you that you use weak ones – but if you know that your passwords are strong, there is no reason to hold on and replace them steeply in the quarter.

Why? Because we are human! That is the opinion of Karl Emil Nikka, IT security trainer at Nikka Systems.

– Yes, unfortunately it is the case that our human brains can not keep track of any number of passwords. If they are also long and studied strong, it will be even more difficult – especially if we are to remember which password works for which site or service.

Karl Emil Nikka refers to the fact that the Password Change Day arose at a time when we to a greater extent reused one and the same password for several services. The services that fought for our attention were also fewer. But once the passwords were leaked, either as a result of careless users or outright intrusion, the damage could be great. Therefore, many large organizations and companies began to introduce mandatory password changes based on a fixed schedule, for example every ninety days.

– But all that thinking is extinct now. Most large organizations, such as Microsoft and American Nist (National Institute of Standards and Technology, ed. Note) have begun to recommend the opposite, ie that we stop with periodic password changes, says Karl Emil Nikka.

Instead, we should use strong, unique passwords for each service, he says, and then stick to them unless there is a risk of them being leaked. Companies often notify when they have been compromised and urge users to change login information. Then there are sites like Have I Been Pwned, which keeps track of password leaks associated with your email address.

But what is a strong password? According to Karl Emil Nikka, it should preferably be relatively long and can, for example, consist of four randomly selected words, completely unrelated to each other. Loose nonsense, he calls it. To facilitate the password procedure, he recommends a password manager.

– With a password manager, you only need to remember one of all strong passwords. The rest is stored encrypted inside the password manager’s archive and only needs to be entered once – when you register them. Then they are filled in automatically on all devices where you unlock the password manager’s archive.

Despite the fact that Karl Emil Nikka and the IT security industry generally now oppose periodic password changes, they – ie the passwords themselves – will remain for the foreseeable future, he says.

– On the other hand, Microsoft, Google and the others work with alternatives to traditional passwords. One challenge right now is that we even have too many possible ways forward. It quickly becomes confusing if sites and services are to start using different login methods. Webauthn is an example of a global standard that now works in all major browsers. Time will tell which method will be dominant going forward.

What is your most important password tip?
– Make sure you have the strongest possible protection for your most important services. The e-mail, for example, if someone manages to access your e-mail basket, it is a checkmate – it can be used to reset passwords to other services. Long, unique passwords are best – and you should not feel the need to change them when you are safe with them.

Stop changing passwords – do this instead

Although the name “Password Change Day” should end up in the IT word cemetery, it can be good to take at least an annual review of your login routines. Replace obviously weak passwords that remain and litter, turn on two-step verification and double check that none of your passwords have been leaked since the last time!

With a password manager you only need to remember one of your complicated, unique passwords. Two popular options are 1Password and Lastpass – you will find more in this article.

Long passwords consisting of words that have nothing to do with each other is a good alternative. A bonus is that the sentences become so quirky that they are easy to remember.
For example:
BävernApelsinPistolFixar
MikradMammutGreet the Sun.
OrchidKrossarFrusenGitarr

Pay attention to messages from companies and services that your password may have been leaked in the event of an intrusion. Then you have every reason in the world to change it! Alternatively, you can keep track of a site that Have I Been Pwned and see what services your email address (and your password) leaked from.

Feel free to use two-step verification where possible. More and more services offer this and you can usually find it under the heading “security” in the site’s or service’s settings menu. With that surcharge, you may, for example, need to enter a one-time code you receive via SMS when you want to log in from a new device.

Skip regular changes. If you have stable, non-leaked passwords, there is no reason to change them. It steals time and energy while making it easy to get lost among all the new logins.