The belief that changing passwords regularly enhances digital security has been called into question by cybersecurity experts and official organizations such as the National Institute of Standards and Technology (NIST) in the United States, who warn of the dangers of this traditional practice.
In its recent guidance, NIST says that requiring users to change passwords frequently can have a negative impact: Far from enhancing security, this measure often leads to choosing keys that are weaker, more predictable, and easier to remember.
As the Commission notes, “When credentials are properly selected, the requirement to change them periodically, usually every one to three months, It can actually reduce securityBecause the extra burden encourages the use of weaker keys, which are easier for people to form and remember.
NIST has proposed eliminating many of the classic requirements associated with passwords. Among the guidelines is a ban on mandatory reassignmentsRestrictions on the use of certain characters and the use of security questions.
In addition, the new guidelines state that “verifiers and telecommunications service providers should not require users to change their passwords periodically. They should only enforce the change if there is evidence that the notary has been compromised“.
This change in approach means that password modification should only be done when credentials are suspected of being leaked or compromised, and not as a routine, scheduled procedure.
In this context, The proposed strategy focuses on creating strong passwordsUnique and difficult to guess, they should only be updated if there are signs of vulnerability or if they are detected in a data leak.
Specialists insist that each account should have different credentials, especially in financial services or those that manage sensitive information. If you choose a phrase as your password, it is necessary to avoid common words or expressions, as well as personal or family names or dates.
The use of uppercase letters, lowercase letters, numbers, and symbols remains a best practice, and the recommended minimum length is eight or more characters. Furthermore, it is not recommended that letters form recognizable words or that numbers have a relevant meaning to the user.
Passwords such as “123456”, “password”, “qwerty”, and “111111” are among the easiest to guess. These combinations are usually the first that attackers attempt in unauthorized access attempts due to their frequent use and lack of sophistication.
Using simple words, number sequences, or passwords like “abc123” and “admin” makes it easier for third parties to compromise the security of personal and corporate accounts. Cybersecurity professionals recommend avoiding these options to reduce the risk of information leakage.
Multi-factor authentication (MFA) is offered as a basic complement to enhance security. Activating this system on as many accounts as possible makes it difficult for cybercriminals to access it, even if they manage to obtain the password.
This method is very effective against automated attacks used by cybercriminalswhich seeks to guess passwords or use stolen credentials.
Additionally, since managing multiple complex keys can be complex, Experts suggest using password managers. These tools allow you to generate random keys, store them in encrypted form, and access them securely from any personal device.
This reduces the burden of memorizing complex credentials for different services and encourages the adoption of longer, more secure passwords.
The paradigm shift promoted by NIST and cybersecurity professionals impacts individual users, businesses, and organizations, in a scenario where cyberattacks are becoming increasingly frequent and sophisticated.
About The Author
