Why Changing Your Passwords Regularly Is A Good Thing
We know, you’ve heard it all before. And we also know, it’s a massive pain the backside. But if recent data breaches are anything to go by, it’s still as important as ever that strong password security habits are adopted. And yes, this does mean regularly changing your password.
It’s a fact that most people, even IT professionals, don’t always change their passwords on a regular basis and, in fact, many of us only change a password on our accounts once we’ve been hacked. Obviously, this is a very good idea and prevents further attacks – but it’s already too late for the perp that’s already been in your account.
Some accounts are more valuable to criminals than others – with e-mail accounts being seen as the jackpot. Why, you ask? Not because they want to read the love letters between yourself and your partner. Nor because they’re interested in what your Mum is going to cook you for tea when you go round. But because, with access to your e-mail, they can now start to use the ‘forgotten password’ functionality present on most sites to send an e-mail to your now-compromised e-mail address and change the password to anything they like. No matter how secure you other websites passwords are now, they’re all vulnerable if they’re attached to another compromised account.
By the same token, single sign-on – already a mainstay in the business world, but becoming increasingly popular for personal accounts as well, can be a gateway to other, otherwise secure accounts by compromising the main account. For example, if someone gets into your Facebook account, not only can they look at ‘those pictures’ from Saturday night but they can use the ‘Sign in using Facebook’ functionality which you may have subscribed to on partner sites. For example, our very own blog allows you to sign in using Facebook. Convenient, yet it does make it even more important that you’re fastidious about your password maintenance.
At DPS Computing, we take security seriously and that’s why client passwords have a password policy assigned which means that they require changing at regular intervals – by default, this is set to 180 days. Two password changes a year is a small price to pay to avoid potentially costly and damaging hacking taking place on your accounts. If you’re unlucky, you lose out financially. How many of you have saved card details stored with merchants such as Amazon, eBay or Paypal for example?
Even if a website or service doesn’t enforce you changing your password regularly, you really should do?
Why? There are lots of reasons. Here are just a few.
- Breaches go unannounced for years – hopefully, things are getting better now, but it’s not unheard of for breaches to go unacknowledged for years. Remember LinkedIn? MySpace? Ashley Madison? Sometimes companies realise and don’t announce it straight away or they simply don’t find out for, sometimes, up to years later.
- Your password may already be compromised – but your account may not be. On the dark web, your password may be sat on a server for sale to the highest bidder. Although your password has been compromised, your account hasn’t necessarily been already. If you change your password before someone gets the chance to try it then boom, they’re locked out and you’re still secure. It’s always a good idea to check your password is secure before using it.
- Some passwords are stored in plain text – passwords and other sensitive data should always be encrypted. But, unfortunately, it’s not. If they’re not and someone gets into the webserver, your password is there for all to see (and use).
If you haven’t done already, sign yourself up to Have I Been Pwned. Once registered, you’ll receive e-mail alerts if your e-mail address is found in a breach. Once signed up, it’ll alert you to any existing breaches you’re already included in. It’s created as a fantastic project by Troy Hunt – and was recommended by Jenny from the North West’s Cyber Crime division during the recent Cybercrime 2018 event in Manchester.