The idea that changing passwords regularly improves digital security is beginning to be questioned by cybersecurity experts and public organizations such as the National Institute of Standards and Technology (NIST), who warn of the risks of this traditional practice.
NIST argues in recent guidelines that requiring users to change their passwords frequently can have negative effects. Rather than providing more protection, this measure often results in choosing keys that are weaker, more predictable, and easier to remember.
As the agency points out, “If the credentials are chosen correctly, they should be changed periodically, typically every 1 to 3 months. May actually reduce securityThis is because increased burden encourages the use of weaker keys that are easier for people to set and remember. ”
NIST has proposed removing some of the legacy requirements related to passwords. Guidelines also include prohibition of forced resetsrestrictions on the use of certain characters and the use of secret questions.
Additionally, the new guidelines state that “verifiers and communications service providers should not require users to change their passwords regularly.” Changes should only be forced if there is evidence that the authentication system has been compromised.”.
This change in approach means that password changes should only be performed when leaked or compromised credentials are suspected, rather than as a scheduled routine.
In this context, The recommended strategy focuses on creating strong passwords.unique and difficult to guess, and should only be updated if there are signs of vulnerability or if exposed in a data breach.
Experts argue that each account requires different credentials, especially those that manage financial services or sensitive information. When choosing a phrase as a password, it’s important to avoid common words and expressions, as well as personal and family names and dates.
It is still best practice to use uppercase and lowercase letters, numbers, and symbols, and the recommended minimum length is 8 characters or more. Furthermore, it is not recommended that the letters form recognizable words or that the numbers have any relevant meaning to the user.
Passwords such as “123456”, “password”, “qwerty”, and “111111” are the easiest to guess. Because these combinations are frequently used and uncomplicated, they are usually the first combinations that attackers try in an unauthorized access attempt.
Using simple words, numeric sequences, or passwords like “abc123” or “admin” can make it easier for third parties to compromise the security of your personal or business accounts. Cybersecurity experts recommend avoiding these options to reduce the risk of information leakage.
Multi-factor authentication (MFA) is presented as an essential complement to increasing security. Activating this system on as many accounts as possible will make it difficult for cybercriminals to gain access, even if they can obtain the password.
This method is highly effective against automated attacks by cybercriminals.attempts to guess passwords or use stolen credentials.
Additionally, managing multiple complex keys can be complicated, so Experts recommend using a password manager. These tools allow you to generate random keys, store them in encrypted form, and access them securely from your personal device.
This reduces the burden of remembering complex credentials for various services and encourages the adoption of longer, more secure passwords.
The paradigm shift promoted by NIST and cybersecurity experts will impact individual users, businesses, and institutions in a scenario where cyberattacks become increasingly frequent and sophisticated.
About The Author
