Changing Your Password: Why This Good Security Practice Is Worth the Effort

Discover how this underappreciated security process stops hackers in their tracks.

 

changing your password

Coming up with a good password is hard.

First, the password should have more than eight characters. Those characters should include uppercase and lowercase letters alongside numbers and special characters. Every new level of complexity adds to the amount of time it would take a hacker to break into the system.

Second, the password shouldn’t include dictionary words. Whenever a data breach occurs, enterprising hackers apply statistical analysis techniques to find out which words are commonly used among the general population. So when hackers broke into 3 billion Yahoo! accounts, they got more than a bunch of email addresses—they got ammunition for the next generation of password crackers.

Third, the password should avoid repetitive or ordinal phrasing. That means that adding “$$$” or “123” presents no obstacle whatsoever to today’s enterprising hackers. An effective password cracker can identify structural regularities in a password and use those to home in on the right sequence of characters.

How to solve the hardest challenge of good passwords

But the fourth element of a good password is the hardest to reconcile: it must be easy to remember. Coming up with a pseudo-random sequence of more than eight letters, numbers, and special characters is hard enough—now, you have to remember that sequence every time the system asks for it. 

This is the challenge that IT users across the world face in regular 90-day increments. While it is difficult, there is no better way to protect IT infrastructure from attack, and there are easy ways to generate and remember good passwords in seconds.

Why Change a Good Password?

Why change your password once you have already gone through the trouble of committing it to memory? If brute-force attacks were the only way hackers could enter a system, you wouldn’t have to.

But hackers have numerous ways of obtaining access to information they shouldn’t have. Social engineering attacks can get past even the toughest passwords—if someone successfully impersonates a chief executive, they will probably be able to get their hands on some important passwords without too much trouble.

If you are never changing your password, then that hacker will have unlimited access to your organisation’s IT infrastructure without having to risk any further exposure. This lets the hacker move undetected through systems and departments with impunity.

Why don’t companies update passwords more often?

This is one of the main reasons why organisations take almost 200 days to identify data breaches. Often, nobody knows something is wrong until it’s too late.

That period of time is critical. Many knowledge workers assume that data breaches are sudden emergencies – like fires, earthquakes, and tornadoes. They are, in fact, disasters of a completely different kind. They churn slowly over time, as the attacker pilfers more and more data over the course of weeks or months.

Password changes protect systems against undetected attacks. Mistakes happen at all levels of the security infrastructure. If one of your passwords is compromised, changing password credentials can prevent an attack that would otherwise go completely unnoticed.

changing your password

How Password Changes Work

There is no such thing as perfect security. Cybercriminals work tirelessly to meet every advance made in the security industry with new and innovative ways to steal valuable data.

Password changes address one of the key weaknesses in today’s technology environment: what happens when a password gets compromised?

This can happen for any number of reasons. Sometimes employees have to share passwords with one another. Sometimes they write passwords down. Sometimes hackers simply get a lucky break and defeat a good password on their own – these things happen.

Developing a comprehensive security policy

A comprehensive security policy needs to address this risk. If you assume that your password could be compromised at any moment and that the attack may go unnoticed, the only way to successfully address the risk is by changing password credentials regularly.

When a hacker is caught by a password reset in the process of exfiltrating sensitive data from an organisation, it means going back to square one. The hacker won’t have a chance to cover their tracks or make it look like the data was untouched.

And if the organisation’s updating password policy is truly comprehensive, the interrupted data breach will contain encrypted information that the hacker didn’t have time to obtain a decryption key for. This kind of multi-layered security framework ensures that data is safe even if hackers are successful.

As of now, there is no cybersecurity technology sufficiently advanced to achieve these kinds of results better than regular password changes. No system can do this on its own without interfering directly with user workflows.

How to Come Up With Good Passwords

Like most security processes, there are downsides to frequent password changes. One of the most common problems that organisations face is deteriorating password quality. As users get tired of constantly changing passwords, they begin using ones that are simpler and easier to crack.

Regular password changes achieve nothing if the “new” password is just an iteration of the old one. Changing “password123” to “password1234” is not going to cut it.

Instead, you need a formula. One of the best ways to create a strong password from scratch is to sequence elements from five or six completely unrelated pieces of information. For instance, try writing down the following:

  • The name of the street you grew up on. 
  • The name of your first pet.
  • Your favourite movie, musician, or artist.
  • The name of your immediate supervisor.
  • An object you keep on your work desk.

You might write down a sequence like this: “Polding Street. Scruffy. Guardians of the Galaxy. Sheila Johnson. Solar-powered Dancing Groot.”

Now all you have to do is take two letters from each of those names: “PoScGuShGr”. Replace every third letter with a number or special character: “Po$cGüSh6r”

According to BetterBuys’ Password Checker, this password would take 87,700 years for a hacker to defeat using equipment available in 2020. When the time comes to change it, you only need to change one element of the sequence by moving to the next letter in the sequence. For instance, instead of taking the “Po” from “Polding Street”, we’ll take the “ol”, and get: “ol$cGüSh6r”.

Another option is using a password generator like LastPass to do all of the thinking for you. You just enter in the parameters required for your password such as length, whether to include upper case and/or lower case letters as well as numbers and symbols, and it does all the work for you.

This system (or any system like it) will produce highly secure passwords that are easy to remember as long as you keep the formula in mind. Even if cybercriminals manage to crack it once, they won’t be able to crack it a second time.

If you need help changing your password for the SMB Solutions Cloud Platform or you would like more information, get in touch with the support team today.