Until a few years ago, the wisdom for passwords contained advice to change them all regularly and often just because you could.
The commendable idea was that this shortened the time it would take to expose your password if it was breached, and that you were "obviously" safer.
Ironically, this became known in the jargon as password rotation, and that's what happened when users simply went through a list of passwords they had previously used.
Most apps have checked that your new password doesn't match the old one, but few have gone very far, and users quickly learned how few different passwords they can use for each app or service.
Users also learned how small these differences can be and are still considered changes rather than minor adjustments.
There was another serious problem with password rotation in a corporate network, namely that IT departments often imposed forced changes in a very predictable manner, for example on the first Monday of every month.
And anything that introduces predictability into a process that is supposed to be random calls for trouble.
First, you can encourage users to make algorithmic changes to comply with a doctrine rather than addressing a real need – for example, adding the digits of the current month to a core password that always stays the same.
Second, pushing the vast majority of monthly "Help, I forgot my password" help desk calls in a short and predictable amount of time.
This means that you give social engineers – cybercrooks who are basically masters at persuading other people to do unsafe things – a credible excuse to provoke incorrect password resets.
This podcast was recorded in 2012 and will still be relevant in 2020.
Do I need to reset my password at all?
If you've listened to the podcast above, you already know that we're not suggesting that password changes are irrelevant.
Definitely change your passwords whenever you want – and using a password manager makes it easy.
However, you should only feel compelled to change a password if there is a clear and obvious reason for it. If you think – or worse, know – that it may have been compromised.
Fortunately, crooks won't get your real password and login name for many or the recent data breaches (unfortunately, not all) where authentication data is stolen.
Passwords are usually – or should definitely be! – stored in a hash form, which hash can be used to check whether a given password is correct but cannot be reversed to display the password.
As a result, most password risks arising from data breaches require crooks to crack your password first by trying a long list of guesswork until they find one that matches your password hash.
Simply put, the longer and more complex your password is, the longer it takes crooks to crack it.
They try the most obvious passwords first, so 123456 will likely be the very first one they try for every user. Pa55word! could be the 100,000th on her list; However, they are unlikely to try VFRHFMNOLR5LAIVGDOW5UZRT for days, months, or even years.
In other words, if a service provider informs you that your password hash was purchased by crooks, you can still be sure if you change your password before the crooks crack it.
Even if the violation occurred weeks or months ago, you're probably still in a good position to defeat the crooks, assuming you've made a wise decision – and if you're using a password manager, it's easy, accurate to do that.
How fast we are
If we no longer change our passwords "just in case" every month, how quickly can we change them if there is a clear and current reason?
Unfortunately, a paper recently published by Carnegie Mellon University in the United States suggests that a worrying number of us are not quick at all.
The paper, titled (How) Do People Change Their Passwords After a Violation ?, states that the researchers:
… Found that very few of their online study participants reported intent to change passwords after being told that their passwords had been compromised or reused, also because they believed that their passwords were “invincible”.
Admittedly, the significance of the results in the paper is somewhat limited by the age of the data (it was collected in 2017 and 2018), the small sample size of 63 victims of violations by 249 participants, and the fact that only users do so were monitored in passwords via Chrome or Firefox.
However, the study found that 42 of the 63 participants (two thirds) who were informed of a data breach did not change any of their passwords.
How good are we?
Disappointingly, even a third of those who changed their passwords took over three months to reach, and many of them replaced their old passwords with weaker ones.
Even more intriguing, though perhaps not surprising in retrospect, the researchers claim that those who changed passwords tended on average to choose a replacement that was more similar to all other passwords than before (measured by substring similarities).
In other words, if you don't use a password manager to generate really random passwords for you, you will be asked to conclude that your password decisions are mutually exclusive and your passwords will vary less over time.
That may not benefit the crooks very much, but it doesn't exactly do you an entropy favor. (Entropy is the jargon word for how "disordered" your password is – although higher errors are generally more difficult to guess.)
In short, people aren't really good at coincidences – but they're also not very good at responding to data breach advice.
What should I do?
Do not hesitate and do it today. If there is a valid reason to change one of your passwords, do so immediately and stay away from the crooks.
Don't take shortcuts. Crooks recognizes any tricks or patterns you use to make your passwords different and yet so similar that you can easily remember them. If you have u64b2vqtn5-fb for Facebook and u64b2vqtn5-tw for Twitter, crooks can easily find out the rest of your passwords.
Don't think you're invincible. The crooks are unlikely to crack your password if it is 6GHENBIZMX3TTUHJTPQZTEKM, but why should you take the risk that they could?
Don't use 2FA as an excuse. Don't use 2FA as an excuse to choose a trivial password or use the same everywhere – it's supposed to be a second factor, not just another type of single factor.