There was a time, not so long ago, where most IT administrators mandated that every password for everything be changed every three months.
In my specific case, I currently have 940 passwords in my password vault. That means I would be changing at least 10 passwords every day. And getting very little else accomplished!
Thankfully, someone took a deep breath and gave some time to actual critical thinking about the whole password life span issue. The conclusion? Unless a password has been breached, or you think it could have been breached, no need to change it for…ever.
That is right. According to the current guidelines by most of the major US government IT overlords, you never need to change a password unless it may have been compromised.
But, that answer isn’t really quite that simple.
First, there are plenty of old-school IT administrators in the field who refuse to do their own critical thinking, and insist on mandating password changes every X months. Good luck getting these folks to wake up.
Second, this guideline assumes your password habits are healthy. What are healthy password habits?
- Every website and service uses a unique password. No password is used more than once.
- All passwords are strong. “Strong” is defined differently by different standards-setting organizations. But a good generalization is a minimum of 15 characters. A password of 123456789012345 is technically as strong as $g1A7^bY0&qX4%r.
- No password uses a part of your name, address, phone number, social security number, pet name, or is otherwise guessible.
This is far easier than the old-school rules of:
- At least 1 upper-case letter
- At least 1 lower-case letter
- At least 1 number
- At least 1 special character
- At least 1 drop of unicorn blood
But now you have a trove of passwords, at least 15 characters in length, none of which are rememberable.
What to do?
Use a password manager to do the remembering for you.
If you are a Mac user, macOS, iOS, iPadOS, and Safari work together to remember and autofill your passwords.
If you are a Windows user, Edge will remember and autofill your passwords.
Brave, Firefox, and Chrome also have their own built-in password managers.
However, my recommendation is to use Bitwarden. Bitwarden is a third-party free/for-fee password manager and Multi-factor Authentication utility (free for password management, for-fee to access the MFA). It works with almost all browsers, all OS’s, and across all of your devices. So a password created on my iPhone is immediately available to my Chromebook, Windows PC, MacBook, and Android tablet. For less than what you will find in your couch cushions, you can have peace of mind in the password department.
World peace will take a bit more.
Enroll by July 31 and Save 55%