How Often Do You Change Your (High Risk, Sensitive) Passwords? No really...

Midpack said:
I think about it from time to time, but I almost never change most of my passwords, and they are all in my password manager - I have about 80 active passwords - most unique, and probably another 50 that I'll never login again on. I did recently delete accounts on a couple dozen, but I doubt that does any good, they'll keep what the hoovered up in the past. Some are 16 character strong passwords, others are simpler with less characters. I think DW's are all simpler unfortunately...

I change the passwords on my 15 high-risk, sensitive passwords (anything financial, medical or email) every year or two. All of them are 15-16 character 'strong' passwords with 2FA if available. None of them are in my password manager or any hard drive. I type them in manually off a piece of paper, from a spreadsheet on a flash drive. Probably overkill...

After reading this article, I don't feel so bad. Evidently the 'every 3-6 months' recommendation you often read about is outdated. I hope so...



www.pcmag.com

You're Changing Your Password Too Often. Here's Why You Shouldn't

We've been conditioned to think that good cyber hygiene means creating new, strong, and unique passwords every few months. Not so fast!
www.pcmag.com www.pcmag.com
Click to expand...
When they announced that big FB and Google breach a while back, we finally did ours. Otherwise, as "techie" as I am, not often enough.
 
Here's an article on this topic from the FTC posted ten years ago that I still think is correct:

Time to rethink mandatory password changes

I think that there's more use of password managers since that article came out, but the underlying ideas are valid. "Password fatigue" is a thing. If your password hasn't been found on the dark web and the company/agency the password accesses hasn't been compromised, and you only use that password for the one site, and it's a decent password in terms of length/complexity, and you have decent 2FA --- then regular password changes strikes me as just security theater, not anything that makes you safer.
 
I’m changing them monthly, since my main credit card was hacked twice in November/December.
 
Allytx said:
I’m changing them monthly, since my main credit card was hacked twice in November/December.
Click to expand...
Curious as to how your credit card was hacked?
Was it due to a weak password the hacker identified?
Or the dark web where most of our information is sitting there?
 
Worked with a guy - ALL of his passwords were in a hard shell eyeglass case in his upper left drawer.
And the answer to ALL of his "hint" questions was "Green" - Where did you meet your spouse? Green. What was the name of your High School? Green.

AND our group was in charge of sending MULTI-MILLION DOLLAR wires out - so security WAS SUPPOSED to be strict. Shrug.
 
I only change a password after it's been determined to be compromised.
Until then, it's good as gold...
 
statsman said:
I wish that was in my planning many years ago. I have a hair over 100 online accounts, nearly all of which I *cannot* delete. Many were opened for various interests that have become unnecessary over the years. Home theater, music, computer building and software, gardening, bicycling, sports, autos, shopping, financial, retirement, services, utilities, postal services, email, streaming TV, ... :(
Click to expand...
I'm in that boat. Every time I let Chrome do a "scan" it comes up with 90 or so accounts where the login credentials have been breached. That's down from 180 because every so often I actually plow through a couple dozen. I was very fast and careless as a youth. The technological equivalent of the young stud who beds 80 women a year and never uses protection...bound to catch up!
 
1Password does it for me. It can autogenerate random passwords up to 100 characters long. Very simple to use and create new passwords as required. My 91yo father & mother still use it to manage all their passwords. They never reach out for help after the first couple of months of using it. My DW, who has absolutely no technical ability at all, is quite happy with having it handle her passwords too. It's not free, but well worth the money IMHO. I bought a family plan for all of us.
 
Jimmie said:
1Password does it for me. It can autogenerate random passwords up to 100 characters long. Very simple to use and create new passwords as required. [...] It's not free, but well worth the money IMHO. I bought a family plan for all of us.
Click to expand...
Same here, but I use Bitwarden. Less expensive than 1Password or LastPass, and it's open source. I let it auto-generate very strong passwords for me for every site/app, then I never change them unless there's been a data breach. I also don't change my BW master password, which I've thoroughly memorized and is even stronger than the ones BW generates for me. This, in conjunction with 2FA and enabling login notifications/alerts for all important accounts, feels extremely secure to me.
 
without the password manager, i don't know any of the logins. Constant change does not make me more secure.
 
i let the browser memorize the garbage passwords. The important ones are in the manager. A few have drifted into the passkey, just garbage though.
 
I just use the same passwords and put a number on the end or beginning and change that if I have to. The rest I leave alone. So not often.

I consider only financial information high risk.
 
I use LastPass. For added security, they now automatically log you off every two weeks
and force you to log back in with your password. This change, ironically, encouraged me to go from a long, complicated password to a simple password that I could easily memorize.

Otherwise, I don't change passwords unless there is some reason to.
 
I almost never change my passwords. I reckon that if the bad guys hack them, waiting 6 months on average for an annual change is not going to be much use. The last one I changed was one that I had had for ages that is based on a mnemonic rule that I no longer use - this was *checks notes* 8 months ago.

Two of my online banks that used to insist on annual changes seem to have stopped doing so. I imagine the above reasoning was part of that. Also, of course, dealing with people who change it and then forget that they have done so. In fact my muscle memory still sometimes types the old password for the account that I mentioned, but I usually catch myself before I hit Enter.
 
Jimmie said:
1Password does it for me. It can autogenerate random passwords up to 100 characters long. Very simple to use and create new passwords as required. My 91yo father & mother still use it to manage all their passwords. They never reach out for help after the first couple of months of using it. My DW, who has absolutely no technical ability at all, is quite happy with having it handle her passwords too. It's not free, but well worth the money IMHO. I bought a family plan for all of us.
Click to expand...
Does anyone here use the free Passwords App that is offered on iPhone?
A.I. search states that it is very safe and secure through the Apple Cloud.
I am looking at my options for managing my passsords.
 
Healthy Lifestyle said:
Does anyone here use the free Passwords App that is offered on iPhone?
A.I. search states that it is very safe and secure through the Apple Cloud.
I am looking at my options for managing my passsords.
Click to expand...
the only risk i know of is being forced to reveal passwords under duress. forcing a finger press or eyescan is easy to compel. otherwise it works well
 
Healthy Lifestyle said:
Does anyone here use the free Passwords App that is offered on iPhone?
A.I. search states that it is very safe and secure through the Apple Cloud.
I am looking at my options for managing my passsords.
Click to expand...
Just depends on how much risk one feels comfortable taking. You can ask ChatGPT to compare the security of 1Password app to Apple's Password iPhone app and it will provide lots of info. For me, I'd rather have my password manager disconnected from the account password the HW device runs on. 1Password also has the advantage of requiring a Secret Key + master password and uses end-to-end encryption (which Apple Password does not). YMMV.
 
Only when required do I change my password. I do use different emails for different applications though. I also use only one credit card for all on-line purchases, so when it's breached, I only have that one card company to deal with.
 
I use 1password. I do try and change my passwords at least once a year on important financial sites and emails. Some of the others I let go for some time.

I read this article recently Starkiller about how even non technical, easy to acquire software allows anyone to start getting what they want from your computer.

"Starkiller's control panel gives cybercriminals a polished dashboard for deploying phishing campaigns, and the core workflow requires almost no technical skill. An attacker enters a brand’s real URL, and the platform spins up a Docker container running a headless Chrome instance that loads the real login page."

Being aware about phishing can help thwart the problem, but the ability of what this does made me uncomfortable and concerned.

Bob
 
SoReady said:
I read this article recently Starkiller about how even non technical, easy to acquire software allows anyone to start getting what they want from your computer.
Click to expand...

That is pretty scary software. It does rely on phishing to work. So, absolutely no more clicking on email links to anything that has a credit card or any financial information.
 
Last edited:
Bank of American explained to me at least 15 yrs ago that there were credit card number generators so there was nothing you could do. They get a good number, put thru 2 small transactions and then slam it. Changing a paassword will do nothing as the pwd is not used in the process
 
I wonder in all this changing passwords, do people also change their email password, in some ways email is one of the most important passwords to change & strengthen.
 
You must log in or register to reply here.

Similar threads

H
Robust but lower tech way to protect sensitive documents
2
jayanu
J
M
Sage Advice
2 3
GoBirds
G
Golden Mean
Vanguard hacking attempt
RetMD21
R
Amethyst
New hack tactic? Someone bought Amazon (electronic) gift cards using my Amazon credit card, and the cards went to me!
2 3
audreyh1
audreyh1
Midpack
Settling My Sister's Trust/Estate
2 3
SecondCor521
SecondCor521

Latest posts

Back
Top Bottom