Cyber Attack steals passwords
Should you really be changing that password so often? Reuters

If it wasn't for a small science fiction franchise called Star Wars, the World Password Day may be a slightly bigger deal. Nevertheless, for those invested in spreading the joy of good cybersecurity practices, there's one big myth that needs to be urgently addressed.

According to a growing number of cybersecurity experts, that myth is the belief that passwords should be regularly updated. As it turns out, the industry-standard approach that this may actually leave your online accounts – from banking to social media – wide open to hackers.

The UK's National Cyber Security Centre (NCSC), a fork of GCHQ, has said this: "Most password policies insist that we have to keep changing them.

"When forced to change one, the chances are that the new password will be similar to the old one. Attackers can exploit this weakness."

The rationale is simple: the new password is likely to be a slight variation of the old one, it's more likely to be written down and more likely to be forgotten.

"The more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn't, it turns out, stand up to a rigorous, whole-system analysis," the NCSC's long-standing policy argues.

On 3 May this year, one NCSC security expert, using the name 'Emma W' online, added: "The answer is to focus on supporting users to do the right things, rather than telling them what to do. Too often, telling users to do things slides too easily into blaming them when they get things wrong."

As it turns out, things often go wrong. Last year a slew of mega-breaches came to light – including Yahoo, MySpace and Dropbox – that over one billion account details exposed. Worse, it came to light people are still using weak passwords to secure their accounts, including the classic "123456."

Password
Attackers can use a variety of techniques to discover passwords iStock

Attackers have a variety of tactics to discover passwords, including social engineering, installing keyloggers on computers or brute-force attacks.

Because of this, many experts now warn passwords may finally – as it has been teased for years – soon become a thing of the past.

In April, Microsoft announced plans to kill off the humble password by replacing it with a smartphone-based authentication method. "We are shifting the security burden from your memory to your device," said Alex Simons, Microsoft's enterprise security expert.

Until the majority of online services choose to adopt new login methods things may be slow to change. In the US, the National Institute of Standards and Technology (NIST) is currently coming up with new guidelines for federal agencies and the government.

"Users need to remember these passwords and if they're overly complex or if they change too frequently, users will resort to writing them down," Scott Petry, chief executive of Authenticat8, told ThreatPost in an interview. "That defeats the secret nature of the password," he added.

Luckily, there are still more effective ways to protect your accounts.

Peter Turner, expert at cybersecurity firm Avast, said: "We highly recommend using a password manager to easily manage your passwords. This not only means you don't have to remember lengthy passwords, but you can easily change them on a frequent basis.

"Apply the same security rules to your smart home devices.

"Change any default passwords as soon as you get a device – or immediately if you have never changed any that you currently use. Ensure you update these devices in line with the updates available from the manufacturer, as these are usually security related."

Security firm McAfee offered more top tips to keep your accounts safe online:

Create strong passwords. Make sure you create strong and unique passwords to keep unwanted people out. The more complex your password is, the more difficult it will be to crack. Not to mention, make sure to avoid common and easy to crack passwords like "12345" or "password."

Use multi-factor authentication. Having multiple factors to authenticate your accounts, like your fingerprint, face, or a trusted device, both improves security and makes accessing your online accounts easier. The more factors you can combine, the safer your accounts will be.

Use a password manager. A password manager can help you create strong and secure passwords, remove the hassle of remembering numerous passwords and log you into your favourite websites automatically using multi-factor authentication.