Never Change Your Password

I’m going to set off all your smoke alarms when I make this fiery statement: Never change your password. Before you call the fire department, consider these three crucial provisos. Never change your password…

1. If it’s sufficiently strong
2. If you created a unique one for each account
3. Unless there’s a security breach where it’s stored

Passwords do not age. They do not sour, spoil, or go stale. Yet some organizations want to convince us that your passwords become increasingly susceptible to attack over time. Just yesterday, I logged into my T-Mobile account and was told my password was old and should be changed. Fortunately, the carrier included a Skip button—which wasn’t always the case.

The reason to change a password should relate to an active problem: someone has stolen your password, it’s so weak that someone will crack it any moment now, or you’re notified of a password leak. Otherwise, there’s no reason ever to bother.

Where did this idea of passwords having an expiration date originate, and why is it wrong? To find out, let’s delve into what’s behind each of those three provisos.

Proviso #1 Background: Very Old Passwords Were Too Weak

It was only in 1960 that computing systems began to require passwords. For 40 years, they remained weak and crackable, often with only modest effort. You often weren’t even allowed to create a password longer than 8 characters. This was considered not just an acceptable level of security, but the only necessary level of security. For much of that time, you could even use a dictionary word or words or all letters—no punctuation, mixed case, or numerals required.

Once networks interconnected, even before the Internet existed, password theft became a problem. In the early days, you could just print out a file that contained the passwords in plain text. (The first admitted theft was in 1962!) As passwords became better protected within operating systems, weak, guessable passwords remained a liability. System administrators began issuing password guidance and enforcing it. That’s where the now-familiar demands for complexity and regular rotation originated.

As recently as 2004, the National Institute of Standards and Technology produced a report that recommended complexity in password composition rules in part because password length was so short. The ability to crack a password becomes nearly exponentially more difficult the longer it is. Increasing complexity (the randomness of characters chosen) doesn’t increase the cracking difficulty as easily as simply making a longer password.

Some sites still allow 8-character passwords, but my anecdotal experience is that most want something longer, like 10 or even 12 characters. The shortest secure password resistant to modern cracking is a minimum of 12 characters if it’s randomly generated from nearly all typeable symbols and at least 20 if it is composed of randomly selected words. Passwords that meet those limits have sufficient resistance to brute-force cracking that they should last well beyond your lifetime or cost a cracker far more than your specific password could be worth—perhaps tens of billions of dollars, by one estimate. Substantial breakthroughs in certain forms of computation would be required to render those passwords weak enough to break. (Astonishingly, Microsoft still recommends a minimum password length of 8 characters in its Windows 10 administrator guidance and doesn’t allow policies to require one longer than 14.)

In an era of weak passwords, a high level of entropy—the amount of measurable randomness in the password text—coupled with regular replacement reduced the odds someone would have sufficient time and processing power to crack your password using what was often an easily purloined password file or database table. (I first had a password file stolen in 1994 due to a Unix exploit.)

If your password is sufficiently strong, as required by Proviso #1 above, there’s no reason to change it. If, on the other hand, you’re still rocking a password under 12 random characters, yes, you should change it to something much stronger. But you only have to do that once. There may never be a reason to replace it.

How can you tell if your password is weak? Apple will tell you, via iOS/iPadOS in Settings > Passwords, Safari in Safari > Preferences > Passwords, and macOS 12 Monterey in System Preferences > Passwords. 1Password, LastPass, and other password managers offer similar insights.

Proviso #2 Background: Passwords Were Often Reused

For many years, it was also acceptable to create one strong password and use it across all your important accounts. While that password may have been hard to type and difficult to memorize, regular use helped you surmount those problems. This was the ultimate instance of putting all your eggs in one basket. Security experts quite rightly saw this approach as a serious vulnerability. I suspect that some password change requirements came about because sysadmins understood that if your password was broken or leaked somewhere else, it could also allow access to their systems. That wasn’t excessive caution—breaches happened regularly, including for accounts with deep system privileges. Forcing a replacement was a misguided way to try to stay ahead of crackers, the assumption being that older passwords were more likely to be discovered and cracked elsewhere.

Because we now have easy access to password managers—including Apple’s built-in option in iOS, iPadOS, and macOS that can be synced across iCloud in a highly secure manner—there’s absolutely no excuse to use the same password twice, per Proviso #2. Memorize your device passwords or, with 1Password and other password managers, your vault or storage password. Never use those passwords elsewhere. And you’re golden.

If you’re not sure whether or not you have used a password at multiple sites, check your password manager. Apple’s Passwords shows Reused under Security Recommendations for any password with multiple entries. 1Password’s Watchtower section, shown below, has a Reused Passwords category that lists the same. LastPass has a similar feature in its Security Dashboard.

Password managers must still deal with the vagaries of websites that require passwords to contain at least one number, a piece of punctuation from a permissible list, and an eye of newt. The last item might be a joke. (These policies are designed to ensure the most cracking-resistant password if a user chooses to enter one of only the minimum length.) But at least you can use the password manager to generate the best strong password under the circumstances.

You should still use a password manager to create passwords even when there are no complexity policies in play. Apple discontinued a feature in Keychain Access’s Password Assistant to create “memorable” passwords that contained words. 1Password recommends a passphrase of four or five words, depending on your circumstances, to achieve the necessary robustness.

Proviso #3 Background: In the Security World, Life’s a Breach

Once you have updated to robust, unique passwords across all your accounts, you never need to change those passwords again unless, per Proviso #3, you learn that a particular site or service has suffered a breach. The best way to learn this is by signing up for the free notification service at Have I Been Pwnd?, a site devoted to disseminating information about account and password breaches in a responsible fashion. You can also check your password manager, as most now license the Have I Been Pwned? database. Apple shows Compromised in its passwords list across operating systems, noting:

This password has appeared in a data leak, which puts this account at high risk of compromise.

Despite Apple’s extreme language, you probably don’t need to change your password even then—assuming, again, it’s strong and unique—but it’s better to be safe than sorry. Plus, you may have no choice: the site might force you to change it by resetting all passwords for all users.

An attacker can discover passwords in two primary ways: research and cracking. With research and manipulation, an attacker can extract secrets about you through social engineering (fooling a customer-service representative), phishing your password from you, or poring over credit reports and available online data.

You can guard against personal social engineering and phishing by never giving out your password in any circumstance other than when you initiate a visit to a Web site or open an app and can verify it’s the site or app you intended. And you can protect your personal facts by replacing them with random words when creating answers to account security questions. Instead of my mother’s maiden name, I generate a random word in my password manager and use that, storing it with a label so I can recall it when asked. The goal is to ensure that the answers to your security questions are also unique across all your accounts. (If you have to read the secret aloud to a customer service rep, it may sound strange, but that’s the price of security.)

The other method attackers use is cracking passwords, trying to match a password by testing every possible value, starting with the shortest and most likely guesses. Those guesses might incorporate socially engineered and researched information about you in particular or a mass of users at a given website.

Crackers used to be able to run unlimited password guessing attempts at many website login pages. It took shockingly long for companies to build in throttles and timeouts to disable such attacks. Nowadays, only targeted knowledge that doesn’t exceed a maximum number of failed attempts may work, and two-factor authentication stops that method cold. Crackers don’t bother with such attacks anymore unless they find unthrottled login pages.

Instead, they focus their attention on cracking passwords stolen from servers. In those cases, you’re forced to rely on the security and deployment expertise of the company that maintains your account information. Almost all the time, these passwords are encrypted and can be broken only by brute force. Sadly, that’s not always the case: as recently as November 2021, a large-scale breach at GoDaddy revealed SFTP passwords still stored as plain text.

Sites should never store passwords as plain text, but they also can’t use simple encryption, where a static encryption key protects all password data. Instead, sites almost always store each password as the unique outcome of a cryptographic operation called a hash. The hash can’t be guessed from the input, so two slightly different passwords produce vastly different hashes. Best practices for modern password storage also include adding random characters (called a salt) to a password before hashing to prevent an attacker from cracking a password used identically with multiple accounts at once. (If two people chose “adam-slurps-soup-soulfully” as their password, the hashing operation would produce the same hash. If you add “Az” and “8J” to the front of that password before hashing, the two resulting hashes would be completely and unpredictably different.)

The only way to figure out a password with no special knowledge of the user is to feed every possible combination through the same hashing algorithm and test against the stored value. Because these algorithms are computationally “expensive” (slow) to run, it can take a lot of time (and therefore money), even when throwing a lot of GPU or cloud processing power at it.

In cases where breached passwords were salted and used sufficiently powerful modern hashing algorithms, I’m unaware of any reports of accounts being compromised. Add good two-factor authentication to the account, and exploitation becomes nearly impossible.

All that said, when you’re notified of a breach that may have revealed your login credentials, change the affected site’s password anyway: it’s only one, and you don’t know how good the site’s internal security design was.

What Should You Do?

Here’s a simple checklist of improvements you can make to keep your passwords forever secret:

• If you aren’t already, start using a password manager.
• Use the password manager to generate strong, unique passwords for every account.
• Review old accounts that contain personal, proprietary, or financial information and update their passwords using the password manager.
• Never share personal facts, like your pet’s name, when required. Instead, replace a real fact with random text that you store in your password manager for later access.
• Enable two-factor authentication wherever available.

Finally, to return to the point of this article: Don’t change a website’s password purely because you’re asked to. Only feel compelled to change it if it’s weak, if it was used on other sites, or if a breach has occurred. And, if some site forces you to change your password, generate a new one that’s strong and unique using your password manager.