Passwords remain a major target for hackers and other actors in the sphere of cyber threats, and in this context password manager applications and two-factor authentication methods (2FA) represent very good solutions for renewing access keys, Eset specialists note, in – an article published on the Romanian blog of the company.
“In recent years, there has been a lot of talk about the growing potential of passwordless authentication and security keys. Thanks to the ubiquity of smartphone-based facial recognition, the ability to log into your favorite apps or other services with just a glance (or using another biometric authentication method, for example) is now a reality and a simple and secure access for many users. But it is still not the rule, especially in the desktop world, and many of the users still rely on the old passwords (…) Until not long ago, a regular rotation of passwords was recommended to reduce the risk of theft or compromise by cybercriminals. The period covered by the password change was between 30 and 90 days. However, times change, and research suggests that changing passwords frequently, especially following a set schedule, does not necessarily improve account security. In other words, there is no universal answer to the question of when you should change your passwords. (…) now we live in a world where we find password manager applications and two-factor authentication methods (2FA)”, explains Eset specialist, Phil Muncaster, in a detailed analysis.
According to him, in the case of the password manager, it helps the user to store and remember long, strong and unique passwords for each account. Some password manager apps now have dark web monitoring built in to automatically flag when logins might be compromised and shared on dark web sites.
As for two-factor authentication, it adds an extra layer of security to the password login process.
Experts at the US National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Center (NCSC) do not recommend requiring users to change their passwords every few months unless they are met certain criteria.
According to NIST, users tend to choose and memorize weaker passwords when they know they will have to change them in the near future. And when these changes occur, they often choose passwords that are similar to old memorized passwords by applying a set of common transformations, such as changing a number in the password. This practice provides a false sense of security because if a previous password has been compromised and you don’t replace it with a strong and unique one, attackers can easily crack it again. Also, new passwords, especially if they are created every few months, are more likely to be written down somewhere and/or forgotten, according to the NCSC. Moreover, “this hypothesis represents one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attacks. What appeared to be perfectly rational advice, established for a long time, does not seem to withstand a rigorous analysis of the entire system”, the NCSC claims”, the Eset article mentions.
However, there are several scenarios that require changing the password, especially for the most important accounts, such as: a data security breach suffered by a third party, weak and easy to guess or crack password, password reuse in more multiple accounts, sharing your password with another person, signing in to a public computer (for example, a library) or someone else’s device.
“If you’re not using the random and strong passwords suggested by your password manager (or ESET password generator), check out this list of tips compiled by the US Cyber and Infrastructure Security Agency (CISA). CISA suggests using the longest allowed password or passphrases (8-64 characters) where possible, and including upper and lower case letters, numbers and special characters. The long-term goal is that, over time, passkeys – with the support of Google, Apple, Microsoft and other major players in the technology ecosystem – will represent the end of the password era. But until then, make sure you keep your accounts as safe as possible with the tools you already have in place,” warns the expert.
Eset was founded in 1992 in Bratislava (Slovakia) and is one of the top companies offering malware content detection and analysis services, being present in over 180 countries.
