So what’s the real deal with changing passwords?

The advice of network managers can vary widely from “change your passwords frequently” to “how often doesn’t matter – just don’t use one password for everything.”

Which makes the big question “What should you believe?”

I found a few questions regarding this topic in the August 2014 issue of Entrepreneur. The information was relevant then (2014) and is still today.

Do I really need to change my passwords every three months?

Yep. Let’s face it, when it comes to online security, the weakest link is our collective refusal to create, memorize and change our passwords every 90 days, as the National Security Agency’s Systems and Network Analysis Center suggests.

The only solution is to use a different password for every single site you visit, according to Tara Kelly, who co-founded Passpack, a web-based password-management provider that was later sold to Utah-based Kemesa Holdings. With the surplus of sites we enter on a daily basis, the only way to remember all that information is to not have to remember it at all.

“That’s what password managers are for,” Kelly explains.

We asked her to elaborate on password best practices.

Is there an alternative to memorizing complex new passwords every 90 days?

Consider using a password phrase. Instead of, for instance, “gaga72013,” use a whole sentence, along with spaces and punctuation. Something like “Lady Gaga rocks my world!” is strong, and it’ll bring a smirk to your face every time you type it in.

But what if a site doesn’t support password phrases?

This is where a password manager can be put to good use. Many password managers are free, and they not only store your passwords, they also generate complex monsters like “4C!rhxn-KAnw&w5” for you. You only need to enter your master key password once to open the password manager, and it takes care of entering the rest of your passwords.

Some people talk about creating their own informal password algorithms. Is this something you recommend?

While it’s better than reusing the same password across sites, it’s not as safe as a completely random password or a well-constructed pass phrase. One example of a password algorithm that people frequently use is (name of site) + (birth year) + (cat name). In this case the birth year and cat name never change; the only thing that makes the password unique is the name of the site, which is different for every site you log into. Problem is, password algorithms can be easily reverse-engineered, especially if a hacker targets you specifically. Once the attacker discovers your system, it doesn’t matter that each password is unique. They can easily figure them all out.

This Q&A section is shared from http://www.entrepreneur.com/article/235391

While these few questions do provide some good things to consider, there is plenty of information that still has these “best practices” up in the air.

First of all, many organizations have mandatory password change policies. Don’t argue that it’s right or wrong. They have their reasons for requiring it – starting with their attempts to maintaining the company’s network security.

As noted on LifeHacker.com, Research done by Microsoft a couple of years ago found that mandatory password changes cost billions in lost productivity—for very little security payoff. Other computer security resources such as Purdue University, Health Informatics, and Life as a CIO blog note that the “best practice” of frequently changing passwords actually does little to improve security, much to everyone’s chagrin. We (users) are guilty of choosing variations on the same simple passwords – such as “password3” or resorting to a sticky note system. This supports the theory that password changing requirements can increase risks.

Is this just a colossal waste of time?

Passwords are easier to crack than ever before and we are not good at creating strong one. ]

If we would make good choices when changing passwords, they would be effective. Read more here.

Do the words unique and totally random ring a bell? That’s probably what the network administrator who sets up mandatory password changes asked of you. But we humans opt for the easier (or perhaps just lazier) method of using the same one or three over and over again.

What seems to be the most effective method is having a password generator and manager for your passwords – and actually using it.

Two-factor authentication is also recommended. Turn it on for every site where you have a password and use it. Two-factor authentication means that – even if a hacker gets your password – they still can’t use it to get into your account.

Let’s face it. The way we lazy humans choose to do things just doesn’t provide enough protection. Follow the best practices that we’ve highlighted here – preferably after reading the full articles at the links provided in my post. Regular security breach reminders can also be helpful.  It’s only after following these measures that you can really enjoy the peace of mind that you’re doing the best you can at protecting yourself/your information — and saving yourself the hassle of changing all your passwords on a regular schedule.

Resources: Entrepreneur.com and LifeHacker.com