Why changing your password regularly can actually make you more vulnerable to hackers

Constant requests to change the password of the digital services we use every day – from email, to the Zoom account or to social networks – can be a real headache (how do we remember them all?).

But in addition, they can make us the most vulnerable in front of hacker, warned by several cyber security specialists.

How can a new password compromise your Internet security?

The key is that when we change the password, we tend to make minimal changes that make it easier for them to guess cybercriminals.

For example, we change “CDMX1” for “CDMX2”. Or we include at the end of the slogan the year we were born. Or we change the last letter for another or for the number of the month.

And if they are very complicated passwords, some users write them on sticky notes and paste them on the computer.

“It simply came to our notice then derived from the same password because we are not able to remember ourselves even more robustly for all the services we use.

In addition, it is common to reuse the same password – or a very similar one – in different services, “Juan Caubet, director of the IT Security Unit at the Eurecat technology center, told BBC Mundo.

“This means that if there is a security breach or a password is stolen in a phishing [un fraude basado en la suplantación de identidad] hackers can easily guess the password you use on other platforms by adding or changing numbers to the base they already have. “

The cybersecurity specialist says that in order not to be so easy for crooks, it would be ideal that every time we are asked for a password change, we change it for a completely new one, which also outside robust.

“The problem is that this is difficult because we use a lot of passwords,” he adds.

KEYS TO A STRONG PASSWORD

Source: Juan Caubet, cybersecurity specialist (Eurecat)

“People have been trying to figure out how to make passwords more secure for a long time, but the mandatory password change is a patch and will soon be obsolete; a single strong password is better than a few that are not so strong in the end, ”says Caubet.

He’s not the only one thinking about it.

In fact, IT security experts have long warned against frequent password changes.

A few years ago, Bill Burr – the author of an influential guide to computer passwords, which was distributed by the US National Institute of Standards and Technology (NIST) – withdrew some of his advice.

Among them, change the password every 90 days by adding capital letters, numbers and symbols so that, for example, “protected” can become “pr0t3Gid0!”.

However, computers have been shown to take longer to decipher a random combination of words than to guess a word with easy-to-remember substitutions, such as “Password!”

“I regret most of what I recommended. I think the advice was probably very difficult for many people,” the 72-year-old expert said in 2017 about the textbook published in 2003.

Many platforms and institutions continue to recommend (and force) frequent password changes, but others no longer recommend such guidelines.

Microsoft joined the second group in 2019, when it announced that it was gradually eliminating periodic password changes after decades of recommendations. “It’s an old and outdated practice,” he argued.

You can now receive notifications from BBC Mundo. Download the new version of our application and activate them so that you don’t lose our best content.