Skip to main content

The first of February was "Change your password" day. Because there are a lot of InfoSec people in the community I would like to ask: Is it still a good idea to change the password regularly? Respectively does this make sense any more?

I am not convinced to change the password regularly. For sure it makes perfect sense, when:

  • Account was hacked
    Check with tools like https://haveibeenpwned.com/
  • Using the same password for more than one service/account
  • Using a bad password (for example: Password1)

I am convinced of the following measures to protect accounts and passwords:

  • Using long and/or complex passwords
  • Using MFA wherever possible
  • Using a password manager

What do you think about this?

Microsoft themselves changed their advice on this in recent years, they said that frequent password changes force people into using shorter passwords which of course isn’t as ideal.

 

When you have some form of 2FA/MFA, I fully believe you should just have a strong and unique password for the account, as your 2FA/MFA is the rotating section to avoid brute force but requiring a strong password as a “prefix” (almost, lack of a better way to describe this) helps prevent these attacks.

 

But if there’s no 2FA/MFA then absolutely I’d still rotate however I’d be using a password manager to ensure the password has enough entropy to be secure.


Microsoft themselves changed their advice on this in recent years, they said that frequent password changes force people into using shorter passwords which of course isn’t as ideal.

 

When you have some form of 2FA/MFA, I fully believe you should just have a strong and unique password for the account, as your 2FA/MFA is the rotating section to avoid brute force but requiring a strong password as a “prefix” (almost, lack of a better way to describe this) helps prevent these attacks.

 

But if there’s no 2FA/MFA then absolutely I’d still rotate however I’d be using a password manager to ensure the password has enough entropy to be secure.

Thanks Michael! Agree: when changing, use a complete other password that is also long and complex.


I was going to post this as a fun Friday question but I think this is the best place to have the conversation: I’d like to know what password manager(s) people are using and why? 🙂


NIST updated their recommendations back in 2020 I believe, and one recommendation was  to do away with regular password changes, as this was counter productive, as people made them easier to remember.

https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/

 

Password manager wise I started of with LastPass, but with their policy and price changes, I switched to Bitwarden ...much better 


I use KeePass. Easy to use and there is a App for mobile phone. But I do no cloud-based synchronization. 


I use KeePass. Easy to use and there is a App for mobile phone. But I do no cloud-based synchronization. 

Interesting on that, is it a paid for feature? Or preference?

 

For personal use I actually use iCloud Keychain, it’s simple, well integrated, and secured within my Apple ID. But all of these solutions raise the question of protecting them…


I think the short password change periods which were used until some time ago are rather useless, because then the user are getting “creative” to avoid complex passwords.

We are using now a yearly password change and for important systems an additional 2FA authentication.

 

And regarding password manager… I am using KeePass.


I use KeePass. Easy to use and there is a App for mobile phone. But I do no cloud-based synchronization. 

Interesting on that, is it a paid for feature? Or preference?

 

For personal use I actually use iCloud Keychain, it’s simple, well integrated, and secured within my Apple ID. But all of these solutions raise the question of protecting them…

I think there is a chargeable feature for that. But I do not really need it and actually prefer not to use cloud storage for that kind of data.


I use KeePass. Easy to use and there is a App for mobile phone. But I do no cloud-based synchronization. 

Interesting on that, is it a paid for feature? Or preference?

 

For personal use I actually use iCloud Keychain, it’s simple, well integrated, and secured within my Apple ID. But all of these solutions raise the question of protecting them…

Apple??? Are you serious? :scream::scream::scream:


Change password day? I have lost track of the days. Hey we should announce a Veeam Legend day!! :) 


Interesting on that, is it a paid for feature? Or preference?

 

For personal use I actually use iCloud Keychain, it’s simple, well integrated, and secured within my Apple ID. But all of these solutions raise the question of protecting them…

Apple??? Are you serious? :scream::scream::scream:


I’m using iCloud Keychain for personal use too LOL


Used to use last pass, but in transition to keepassXC.

You only need to remember 1 password but this should be a complex password that is easy to remember. If you need help or inspiration for your master password, check https://phoenixnap.com/blog/strong-great-password-ideas and https://www.pcmag.com/how-to/simple-tricks-to-remember-seriously-secure-passwords

You can use OneDrive Secure Vault (https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) functionality to sync the database throughout your devices. If you're a fan of GoogleDrive or something else, you could use VeraCrypt to create a encrypted file that can be mounted as a drive, and sync that file throughout your devices (https://www.how2shout.com/how-to/how-to-mount-encrypted-veracrypt-or-other-volumes-on-an-android-device.html). For device-to-device sync you can use from Resilio Sync (https://www.resilio.com/individuals/), but that's paid software. A free, open-source alternative to this could be https://syncthing.net/

 


Interesting on that, is it a paid for feature? Or preference?

 

For personal use I actually use iCloud Keychain, it’s simple, well integrated, and secured within my Apple ID. But all of these solutions raise the question of protecting them…

Apple??? Are you serious? :scream::scream::scream:


I’m using iCloud Keychain for personal use too LOL

OK :sunglasses: Call it a personal dislike….


You do not need to changed your password at all times if you have a MFA in place. 

  • Note: Having to change your password daily can result in you writing your password down and this is dangerous. Therefore, when you are found of changing your password say every three months and someone finds an old saved password, it is no longer relevant.

For Business purposes, in order to use strong passwords, use password manager(s) such as Pleasant Password and ManageEngine Password Manager. 

  • KeyPass has got a lot of drawbacks and security flaws very lately. It has is Pros as well, do not get me wrong.

I would recommend the regular change of password to meet best practice recommendation. When you change your password periodically, this prevents cybercriminals from stealing your login credentials via a cyberattack and use if later in the future.
- This will also help mitigate access gained by keystroke loggers.
- Limit breaches to multiple accounts.

I use password generators and I have 2FA enabled for all accounts that allows it. Employ this!!!

Regular change of your password should apply to your Access Token and service accounts as well. Maybe you should research a little about “Group managed service accounts (gMSAs) “.


As alternative to ihavebeenpwned there’s https://monitor.firefox.com/ too :)


I use KeePass. Easy to use and there is a App for mobile phone. But I do no cloud-based synchronization. 

Why no cloud sync if is it encrypted?
I’m asking because I use it with cloud sync enabled :)


Interesting on that, is it a paid for feature? Or preference?

 

For personal use I actually use iCloud Keychain, it’s simple, well integrated, and secured within my Apple ID. But all of these solutions raise the question of protecting them…

Apple??? Are you serious? :scream::scream::scream:


I’m using iCloud Keychain for personal use too LOL

OK :sunglasses: Call it a personal dislike….

Yep! I did have one interesting glitch where the keychain appeared empty but closing and reopening the settings app made it appear as normal. Did make me think about the lack of ability to back up the keychain…

But it’s a solid keychain, integrates well with web browsers for password auto fill, has built in promoting about reused passwords or breached passwords, has built in 2FA authentication code generation and generates strong passwords that don’t include ambiguous characters 🙂

 

Glad I’m not alone on the iCloud Keychain bandwagon @Kseniya!


Used to use last pass, but in transition to keepassXC.

You only need to remember 1 password but this should be a complex password that is easy to remember. If you need help or inspiration for your master password, check https://phoenixnap.com/blog/strong-great-password-ideas and https://www.pcmag.com/how-to/simple-tricks-to-remember-seriously-secure-passwords

You can use OneDrive Secure Vault (https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) functionality to sync the database throughout your devices. If you're a fan of GoogleDrive or something else, you could use VeraCrypt to create a encrypted file that can be mounted as a drive, and sync that file throughout your devices (https://www.how2shout.com/how-to/how-to-mount-encrypted-veracrypt-or-other-volumes-on-an-android-device.html). For device-to-device sync you can use from Resilio Sync (https://www.resilio.com/individuals/), but that's paid software. A free, open-source alternative to this could be https://syncthing.net/

 

That was a huge amount of insight thank you! I’d always be worried at using a “non-native” mechanism to sync my databases, just like I wouldn’t use any “non-native” copying of my backups, would be too worried about corruption, but provided you don’t change too many passwords on other devices I suppose the risk isn’t too great.


I use KeePass. Easy to use and there is a App for mobile phone. But I do no cloud-based synchronization. 

Why no cloud sync if is it encrypted?
I’m asking because I use it with cloud sync enabled :)

I must confess, I have not yet looked into this in detail. But since I only use two devices actively, I can manage without automatic sync.


As alternative to ihavebeenpwned there’s https://monitor.firefox.com/ too :)

Thanks for this @marcofabbri! Didn’t know it!


Comment